Import of heimdal-0.6.3

114 files changed, 9045 insertions, 1026 deletions

diff --git a/kerberosV/src/ChangeLog b/kerberosV/src/ChangeLog
index c701be6bbe8..159cf48a415 100644
--- a/kerberosV/src/ChangeLog
+++ b/kerberosV/src/ChangeLog
@@ -1,3 +1,346 @@
+2004-09-13  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Release 0.6.3
+	
+2004-09-05  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/der_get.c (decode_enumerated): check that the tag
+	length isn't longer the the length
+
+2004-08-31  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/init_creds_pw.c (krb5_get_init_creds_password):
+	kdc_reply can be set in case of failure too, clean on entry and
+	free the exit unconditionally to avoid memory leak
+	
+2004-08-20  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/context.c: 1.93: (krb5_get_err_text): if neither of
+	com_right nor strerror finds the error-code, return Unknown error.
+
+2004-08-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: based on 1.162: (get_pa_etype_info): check for
+	dup enctypes from the client and filter them out.
+	
+2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* admin/get.c: 1.23: (kt_get): catch errors from krb5_parse_name
+	
+2004-06-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/Makefile.am: man_MANS += krb5_set_password.3
+	
+	* lib/krb5/krb5_set_password.3: 1.1-1.3: change password manpage
+	
+	* lib/krb5/changepw.c: 1.49: implement
+	krb5_set_password_using_ccache 1.47: add tcp support to the set
+	protocol, should be cleaned up to enable sharing code with
+	krb5_sendto 1.46: (process_reply): log into result_string if
+	something goes bad, return 0 (even on failure), not the KPASSWD
+	protocol error code 1.45: krb5_princ_realm ->
+	krb5_principal_get_realm 1.44: (setpw_send_request): free
+	ap_req_data on failure 1.41: ooops, remove cut and paste error
+	1.40: draft-ietf-cat-kerb-chg-password-02 and rfc3244 share the
+	response packet sure more constants now that they exists 1.39:
+	implement rfc3244, partly from shadow@dementia.org
+	
+	* lib/krb5/krb5.h: 1.211: some defines for rfc3244
+	
+	* lib/asn1/Makefile.am: 1.71: (gen_files):
+	asn1_ChangePasswdDataMS.x for RFC3244
+	
+	* lib/asn1/k5.asn1: 1.30: add ChangePasswdDataMS, for RFC3244
+	
+	* kuser/kinit.c: 1.114: move "setpag if (argc < 1)" to common path
+	
+2004-05-06  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Release 0.6.2
+
+2004-04-02  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c: case size_t to unsigned long for LP64 platforms
+	
+2004-04-01  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Release 0.6.1
+
+2004-03-30  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos4.c: 1.46: stop the client from renewing tickets
+	into the future From: Jeffrey Hutzelman <jhutz@cmu.edu>
+	
+2004-03-10  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/fcache.c: 1.43: (fcc_store_cred): NULL terminate
+	krb5_config_get_bool_default' arglist
+	
+2004-03-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/krb5.conf.5: 1.44: document
+	[libdefaults]fcc-mit-ticketflags=boolean 1.43: don't use path's in
+	first .Nm, it confuses some locate.updatedb, use FILES section to
+	describe where the file is instead.
+	
+	* lib/krb5/fcache.c (fcc_store_cred): default to use old format
+	
+	* lib/krb5/fcache.c: 1.42: (fcc_store_cred): use
+	[libdefaults]fcc-mit-ticketflags=boolean to decide what format to
+	write the fcc in. Default to mit format (aka heimdal 0.7 format)
+	1.41: (_krb5_xlock): handle that everything was ok, and don't put
+	an error in the error strings then
+	
+	* lib/krb5/store.c: 1.43: add _krb5_store_creds_heimdal_0_7 and
+	_krb5_store_creds_heimdal_pre_0_7 that store the creds in just
+	that format make krb5_store_creds default to mit format 1.42:
+	(krb5_ret_creds): Runtime detect the what is the higher bits of
+	the bitfield 1.41: (krb5_store_creds): add disabled code that
+	store the ticket flags in reverse order (bitswap32): new function
+	1.40: (krb5_ret_creds): if the higher ticket flags are set, its a
+	mit cache, reverse the bits, bug pointed out by Sergio Gelato
+	<Sergio.Gelato@astro.su.se>
+	
+	delta modfied to not change the behavior of krb5_store_creds
+	
+2004-03-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mk_safe.c (krb5_mk_safe): fix assignment of usec2
+	
+2004-03-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/mcache.c: patch based on 1.17 and 1.18 but with
+	threading code pulled out;
+	
+	1.18: (mcc_get_principal): also check for primary_principal ==
+	NULL now that that isn't used as dead flag 1.17: don't overload
+	the primary_principal == NULL as dead since that doesn't always
+	work Based on patch from Jeffrey Hutzelman <jhutz@cmu.edu>, but
+	tweek by me
+
+	* lib/krb5/crypto.c: 1.94: (decrypt_internal_special): do not not
+	modify the original data test case from Ronnie Sahlberg
+	<ronnie_sahlberg@ozemail.com.au>
+
+2004-02-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: 1.22->1.23: (check_host): don't
+	check for EAI_NODATA, because its depricated in RFC3493 Pointed
+	out by Hajimu UMEMOTO <ume@mahoroba.org> on heimdal-discuss
+	
+	* lib/krb5/eai_to_heim_errno.c: 1.3->1.4: EAI_ADDRFAMILY and
+	EAI_NODATA is deprecated in RFC3493
+
+2004-02-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/der_length.c: 1.16: Fix len_unsigned for certain
+	negative integers, it got the length wrong, fix from Panasas, Inc.
+	
+	* lib/asn1/der_locl.h: 1.5: add _heim_len_unsigned, _heim_len_int
+	
+2004-01-26  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/asn1/gen_length.c: 1.14: (length_type): TSequenceOf: add up
+	the size of all the elements, don't use just the size of the last
+	element.
+
+	* lib/krb5/fcache.c: 1.40: (_krb5_xlock): catch EINVAL and assume
+	that it means that the filesystem doesn't support locking 1.39:
+	(_krb5_xlock): fix compile error in last commit 1.38: internally
+	export x{,un}lock and thus prefix them with _krb5_
+	
+2004-01-13  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: 1.106: (renew_validate): if renewable_flag and
+	not time specifed, use "1 month"
+	1.105: make -9 work again
+
+2004-01-09  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/get_for_creds.c: 1.36: (add_addrs): don't increase
+	addr->len until in contains interesting data, use right iteration
+	counter when clearing the addresses 1.39: krb5_princ_realm ->
+	krb5_principal_get_realm 1.38: (krb5_get_forwarded_creds): use
+	KRB5_AUTH_CONTEXT_DO_TIME if we want timestamp in forwarded
+	krb-cred 1.39: (krb5_get_forwarded_creds): If tickets are
+	address-less, forward address-less tickets.  1.40:
+	(krb5_get_forwarded_creds): try to handle errors better for
+	previous commit 1.41: (add_addrs): don't add same address multiple
+	times
+	
+	* lib/krb5/get_cred.c: 1.96->1.97: rename get_krbtgt to
+	_krb5_get_krbtgt and export it
+
+2003-12-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/kerberos5.c: part of 1.146->1.147: handle NULL client/server
+	names
+
+2003-12-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/crypto.c: 1.90->1.91: require cipher-text to be padded
+	to padsize 1.91->1.92: (decrypt_internal_derived): move up padsize
+	check to avoid memory leak
+	
+2003-12-01  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kuser/kinit.c: 1.103->1.104: (main): return the return value
+	from simple_execvp
+
+2003-10-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/transited.c: 1.13->1.14: (krb5_domain_x500_encode):
+	always zero out encoding to make sure it have a defined value on
+	failure
+
+	* lib/krb5/transited.c: 1.12->1.13: (krb5_domain_x500_encode): if
+	num_realms == 0, set encoding and return (avoids malloc(0)) check
+	return value from malloc
+	
+2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* doc/setup.texi: 1.35->1.36: spelling
+	
+	* kdc/kdc_locl.h: 1.58->1.59: add flag to always check transited
+	policy
+
+	* doc/setup.texi: 1.27->1.35: many changes
+	
+	* lib/krb5/get_cred.c: 1.95->1.96: get capath info from [capaths]
+	section
+
+	* lib/krb5/rd_req.c: 1.50->1.51: (krb5_decrypt_ticket): try to
+	verify transited realms, unless the transited-policy-checked flag
+	is set
+
+	* lib/krb5/transited.c:
+	1.12: (krb5_domain_x500_decode): set *num_realms to zero not num_realms
+	1.11: (krb5_domain_x500_decode): handle zero length tr data;
+	(krb5_check_transited): new function that does more useful stuff
+
+	* kdc/kdc.8: 1.23->1.24: document enforce-transited-policy
+	
+	* kdc/config.c: 1.47->1.48: add flag to always check transited
+	policy
+
+	* kdc/kerberos5.c:
+	1.150: (fix_transited_encoding): also verify with policy,
+	unless asked not to
+	1.151: always check transited policy if flag set either globally
+	(on principal part of patch not pulled up)
+	1.152: (fix_transited_encoding): set transited type
+	1.153: (fix_transited_encoding): always print cross-realm information
+
+2003-10-06  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/config_file.c: 1.48->1.49:
+	(krb5_config_parse_file_debug): punt if there is binding before a
+	section declaration.
+	Bug found by Arkadiusz Miskiewicz <arekm@pld-linux.org>
+
+	* kdc/kaserver.c: 1.21->1.23:
+	(do_getticket): if times data is shorter then 8 bytes, request is
+	malformed.
+	(do_authenticate): if request length is less then 8 bytes, its a
+	bad request and fail. Pointed out by Marco Foglia <marco@foglia.org>
+
+2003-09-22  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/verify_krb5_conf.c: 1.17->1.18: add missing " within
+	#if 0 From: stefan sokoll <stefansokoll@yahoo.de>
+	
+2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/rd_req.c:
+	1.47->1.48: (krb5_rd_req): allow caller to pass in a key
+	in the auth_context, they way processes that doesn't use the
+	keytab can still pass in the key of the service (matches behavior
+	of MIT Kerberos).
+	
+2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* lib/krb5/crypto.c: 
+	1.87->1.88: (usage2arcfour): simplify, only
+	include special cases From: Luke Howard <lukeh@PADL.COM>
+	1.86->1.87: (arcfour_checksum_p): return true when is arcfour,
+	not when its not pointed out by Luke Howard
+	1.82->1.83: Do the arcfour checksum mapping for
+	krb5_create_checksum and krb5_verify_checksum, From: Luke Howard
+	<lukeh@PADL.COM>
+	1.81->1.82: (hmac): make it return an error
+	when out of memory, update callsites to either return error or use
+	krb5_abortx
+	(krb5_hmac): expose hmac
+	* lib/krb5/mk_req_ext.c: 1.26->1.27: (krb5_mk_req_internal):
+	when using arcfour-hmac-md5, use an unkeyed checksum
+	(rsa-md5), since Microsoft calculates the keyed checksum with
+	the subkey of the authenticator.
+
+	* lib/krb5/get_cred.c:
+	1.93->1.94 (init_tgs_req): make generation of subkey
+	optional on configuration parameter
+	[realms]realm={tgs_require_subkey=bool}
+	defaults to off. The RFC1510 weakly defines the correct behavior,
+	so old DCE secd apparently required the subkey to be there, and MS
+	will use it when its there. But the request isn't encrypted in the
+	subkey, so you get to choose if you want to talk to a MS mdc or a
+	old DCE secd.
+
+	partly 1.91->1.92: (init_tgs_req): in case of error, don't
+	free in	the req_body addresses since they where pass in by caller
+
+	lib/krb5/get_in_tkt.c:
+	1.108->1.1.09: (krb5_get_in_tkt): for compatibility with with
+	the mit implemtation, don't free `creds' argument when done, its up
+	the the caller to do that, also allow a NULL ccache.
+
+	* doc/ack.texi
+	1.16->1.17: update Luke Howard email address
+
+	* lib/hdb/hdb-ldap.c:
+	1.13->1.14: code rewrite from Luke Howard <lukeh@PADL.COM>
+	1.12->1.13: (LDAP_store): log what principal/dn failed
+	1.11->1.12: use int2HDBFlags/HDBFlags2int
+	From: Alberto Patino <jalbertop@aranea.com.mx>, 
+	Luke Howard <lukeh@PADL.COM>
+	Pointed out by Andrew Bartlett of Samba
+	1.10->1.11: (LDAP__connect): bind sasl "EXTERNAL" to ldap connection
+	(LDAP_store): remove superfluous argument to asprintf
+	From Alberto Patino <jalbertop@aranea.com.mx>
+
+	* lib/krb5/krb5.h:
+	1.214->1.2015: add KEYTYPE_ARCFOUR_56
+	
+2003-09-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/config_file.c: fix prototypes Fredrik Ljungberg
+	<flag@pobox.se>
+	
+2003-09-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/hdb_locl.h: 1.18->1.19: include <limits.h> for ULONG_MAX
+	noted by Wissler Magnus <M.Wissler@abalon.se> on heimdal-discuss
+	
+2003-08-29  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/hdb/db3.c: 1.8->1.9: patch for working with DB4 on
+	heimdal-discuss From: Luke Howard <lukeh@PADL.COM> 1.9->1.10: try
+	to include more db headers
+	
+2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* kdc/connect.c: 1.92->1.93 (handle_tcp): handle recvfrom
+	returning 0 (connection closed) 1.91->1.92: (grow_descr):
+	increment the size after we succeed to allocate the space
+	
+2003-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* lib/krb5/principal.c: 1.83->1.85: (unparse_name): len can't be
+	zero, so, don't check for that
+	(unparse_name): make sure there are space for a NUL, set *name to NULL
+	when there is a failure (so caller can't get hold of a freed
+	pointer)
+
 2003-05-08  Johan Danielsson  <joda@ratatosk.pdc.kth.se>
 
 	* Release 0.6
diff --git a/kerberosV/src/Makefile.am.common b/kerberosV/src/Makefile.am.common
index 8ab7774f8a7..eee211fe86b 100644
--- a/kerberosV/src/Makefile.am.common
+++ b/kerberosV/src/Makefile.am.common
@@ -1,35 +1,4 @@
-# $KTH: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+# $KTH: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
 
 include $(top_srcdir)/cf/Makefile.am.common
 
-SUFFIXES += .x
-
-.x.c:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@
-
-CHECK_LOCAL = $(PROGRAMS)
-
-check-local::
-	@foo='$(CHECK_LOCAL)'; \
-	  if test "$$foo"; then \
-	  failed=0; all=0; \
-	  for i in $$foo; do \
-	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
-	      echo "PASS: $$i"; \
-	    else \
-	      echo "FAIL: $$i"; \
-	      failed=`expr $$failed + 1`; \
-	    fi; \
-	  done; \
-	  if test "$$failed" -eq 0; then \
-	    banner="All $$all tests passed"; \
-	  else \
-	    banner="$$failed of $$all tests failed"; \
-	  fi; \
-	  dashes=`echo "$$banner" | sed s/./=/g`; \
-	  echo "$$dashes"; \
-	  echo "$$banner"; \
-	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
-	fi
diff --git a/kerberosV/src/Makefile.in b/kerberosV/src/Makefile.in
index e2ba670d751..da5ec3714f7 100644
--- a/kerberosV/src/Makefile.in
+++ b/kerberosV/src/Makefile.in
@@ -1,7 +1,8 @@
-# Makefile.in generated automatically by automake 1.4b from Makefile.am
+# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# @configure_input@
 
-# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
-# Free Software Foundation, Inc.
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -11,261 +12,398 @@
 # even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 # PARTICULAR PURPOSE.
 
-SHELL = @SHELL@
+@SET_MAKE@
+
+# $KTH: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
+
+# $KTH: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
 
+# $KTH: Makefile.am.common,v 1.37.2.2 2003/10/13 13:15:39 joda Exp $
 srcdir = @srcdir@
 top_srcdir = @top_srcdir@
 VPATH = @srcdir@
-prefix = @prefix@
-exec_prefix = @exec_prefix@
-
-bindir = @bindir@
-sbindir = @sbindir@
-libexecdir = @libexecdir@
-datadir = @datadir@
-sysconfdir = @sysconfdir@
-sharedstatedir = @sharedstatedir@
-localstatedir = @localstatedir@
-libdir = @libdir@
-infodir = @infodir@
-mandir = @mandir@
-includedir = @includedir@
-oldincludedir = /usr/include
-
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-
 top_builddir = .
-
-ACLOCAL = @ACLOCAL@
-AUTOCONF = @AUTOCONF@
-AUTOMAKE = @AUTOMAKE@
-AUTOHEADER = @AUTOHEADER@
-
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
 INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_FLAG =
-transform = @program_transform_name@
-
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
 NORMAL_INSTALL = :
 PRE_INSTALL = :
 POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
-
-@SET_MAKE@
-host_alias = @host_alias@
 host_triplet = @host@
+DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in $(top_srcdir)/Makefile.am.common \
+	$(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure \
+	ChangeLog NEWS TODO compile config.guess config.sub install-sh \
+	ltconfig ltmain.sh missing mkinstalldirs
+subdir = .
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \
+	$(top_srcdir)/cf/auth-modules.m4 \
+	$(top_srcdir)/cf/broken-getaddrinfo.m4 \
+	$(top_srcdir)/cf/broken-getnameinfo.m4 \
+	$(top_srcdir)/cf/broken-glob.m4 \
+	$(top_srcdir)/cf/broken-realloc.m4 \
+	$(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \
+	$(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \
+	$(top_srcdir)/cf/capabilities.m4 \
+	$(top_srcdir)/cf/check-compile-et.m4 \
+	$(top_srcdir)/cf/check-declaration.m4 \
+	$(top_srcdir)/cf/check-getpwnam_r-posix.m4 \
+	$(top_srcdir)/cf/check-man.m4 \
+	$(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \
+	$(top_srcdir)/cf/check-type-extra.m4 \
+	$(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \
+	$(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \
+	$(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \
+	$(top_srcdir)/cf/dlopen.m4 \
+	$(top_srcdir)/cf/find-func-no-libs.m4 \
+	$(top_srcdir)/cf/find-func-no-libs2.m4 \
+	$(top_srcdir)/cf/find-func.m4 \
+	$(top_srcdir)/cf/find-if-not-broken.m4 \
+	$(top_srcdir)/cf/have-struct-field.m4 \
+	$(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \
+	$(top_srcdir)/cf/krb-bigendian.m4 \
+	$(top_srcdir)/cf/krb-func-getlogin.m4 \
+	$(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \
+	$(top_srcdir)/cf/krb-readline.m4 \
+	$(top_srcdir)/cf/krb-struct-spwd.m4 \
+	$(top_srcdir)/cf/krb-struct-winsize.m4 \
+	$(top_srcdir)/cf/mips-abi.m4 $(top_srcdir)/cf/misc.m4 \
+	$(top_srcdir)/cf/need-proto.m4 $(top_srcdir)/cf/osfc2.m4 \
+	$(top_srcdir)/cf/otp.m4 $(top_srcdir)/cf/proto-compat.m4 \
+	$(top_srcdir)/cf/retsigtype.m4 $(top_srcdir)/cf/roken-frag.m4 \
+	$(top_srcdir)/cf/sunos.m4 $(top_srcdir)/cf/telnet.m4 \
+	$(top_srcdir)/cf/test-package.m4 $(top_srcdir)/cf/wflags.m4 \
+	$(top_srcdir)/cf/with-all.m4 $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
+ configure.lineno configure.status.lineno
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/include/config.h
+CONFIG_CLEAN_FILES =
+depcomp =
+am__depfiles_maybe =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-exec-recursive install-info-recursive \
+	install-recursive installcheck-recursive installdirs-recursive \
+	pdf-recursive ps-recursive uninstall-info-recursive \
+	uninstall-recursive
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+distdir = $(PACKAGE)-$(VERSION)
+top_distdir = $(distdir)
+am__remove_distdir = \
+  { test ! -d $(distdir) \
+    || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \
+         && rm -fr $(distdir); }; }
+DIST_ARCHIVES = $(distdir).tar.gz
+GZIP_ENV = --best
+distuninstallcheck_listfiles = find . -type f -print
+distcleancheck_listfiles = find . -type f -print
+ACLOCAL = @ACLOCAL@
+AIX4_FALSE = @AIX4_FALSE@
+AIX4_TRUE = @AIX4_TRUE@
+AIX_DYNAMIC_AFS_FALSE = @AIX_DYNAMIC_AFS_FALSE@
+AIX_DYNAMIC_AFS_TRUE = @AIX_DYNAMIC_AFS_TRUE@
 AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
-AMDEP = @AMDEP@
+AIX_FALSE = @AIX_FALSE@
+AIX_TRUE = @AIX_TRUE@
 AMTAR = @AMTAR@
-AS = @AS@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
 CANONICAL_HOST = @CANONICAL_HOST@
 CATMAN = @CATMAN@
 CATMANEXT = @CATMANEXT@
+CATMAN_FALSE = @CATMAN_FALSE@
+CATMAN_TRUE = @CATMAN_TRUE@
 CC = @CC@
+CFLAGS = @CFLAGS@
 COMPILE_ET = @COMPILE_ET@
 CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
 CXX = @CXX@
 CXXCPP = @CXXCPP@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
 DBLIB = @DBLIB@
-DEPDIR = @DEPDIR@
+DCE_FALSE = @DCE_FALSE@
+DCE_TRUE = @DCE_TRUE@
+DEFS = @DEFS@
 DIR_com_err = @DIR_com_err@
 DIR_des = @DIR_des@
 DIR_roken = @DIR_roken@
-DLLTOOL = @DLLTOOL@
 ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 EXTRA_LIB45 = @EXTRA_LIB45@
+F77 = @F77@
+FFLAGS = @FFLAGS@
 GROFF = @GROFF@
+HAVE_DB1_FALSE = @HAVE_DB1_FALSE@
+HAVE_DB1_TRUE = @HAVE_DB1_TRUE@
+HAVE_DB3_FALSE = @HAVE_DB3_FALSE@
+HAVE_DB3_TRUE = @HAVE_DB3_TRUE@
+HAVE_DLOPEN_FALSE = @HAVE_DLOPEN_FALSE@
+HAVE_DLOPEN_TRUE = @HAVE_DLOPEN_TRUE@
+HAVE_NDBM_FALSE = @HAVE_NDBM_FALSE@
+HAVE_NDBM_TRUE = @HAVE_NDBM_TRUE@
+HAVE_OPENSSL_FALSE = @HAVE_OPENSSL_FALSE@
+HAVE_OPENSSL_TRUE = @HAVE_OPENSSL_TRUE@
+HAVE_X_FALSE = @HAVE_X_FALSE@
+HAVE_X_TRUE = @HAVE_X_TRUE@
 INCLUDES_roken = @INCLUDES_roken@
-INCLUDE_ = @INCLUDE_@
 INCLUDE_des = @INCLUDE_des@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+INCLUDE_krb4 = @INCLUDE_krb4@
+INCLUDE_openldap = @INCLUDE_openldap@
+INCLUDE_readline = @INCLUDE_readline@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IRIX_FALSE = @IRIX_FALSE@
+IRIX_TRUE = @IRIX_TRUE@
+KRB4_FALSE = @KRB4_FALSE@
+KRB4_TRUE = @KRB4_TRUE@
+KRB5_FALSE = @KRB5_FALSE@
+KRB5_TRUE = @KRB5_TRUE@
+LDFLAGS = @LDFLAGS@
 LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
 LIBTOOL = @LIBTOOL@
-LIB_ = @LIB_@
 LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
 LIB_NDBM = @LIB_NDBM@
+LIB_XauFileName = @LIB_XauFileName@
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_XauWriteAuth = @LIB_XauWriteAuth@
+LIB_bswap16 = @LIB_bswap16@
+LIB_bswap32 = @LIB_bswap32@
 LIB_com_err = @LIB_com_err@
 LIB_com_err_a = @LIB_com_err_a@
 LIB_com_err_so = @LIB_com_err_so@
+LIB_crypt = @LIB_crypt@
+LIB_db_create = @LIB_db_create@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
 LIB_des = @LIB_des@
 LIB_des_a = @LIB_des_a@
 LIB_des_appl = @LIB_des_appl@
 LIB_des_so = @LIB_des_so@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_freeaddrinfo = @LIB_freeaddrinfo@
+LIB_gai_strerror = @LIB_gai_strerror@
+LIB_getaddrinfo = @LIB_getaddrinfo@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_gethostbyname2 = @LIB_gethostbyname2@
+LIB_getnameinfo = @LIB_getnameinfo@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_hesiod = @LIB_hesiod@
+LIB_hstrerror = @LIB_hstrerror@
 LIB_kdb = @LIB_kdb@
+LIB_krb4 = @LIB_krb4@
+LIB_krb_disable_debug = @LIB_krb_disable_debug@
+LIB_krb_enable_debug = @LIB_krb_enable_debug@
+LIB_krb_get_kdc_time_diff = @LIB_krb_get_kdc_time_diff@
+LIB_krb_get_our_ip_for_realm = @LIB_krb_get_our_ip_for_realm@
+LIB_krb_kdctimeofday = @LIB_krb_kdctimeofday@
+LIB_loadquery = @LIB_loadquery@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_openldap = @LIB_openldap@
+LIB_openpty = @LIB_openpty@
 LIB_otp = @LIB_otp@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_nsearch = @LIB_res_nsearch@
+LIB_res_search = @LIB_res_search@
 LIB_roken = @LIB_roken@
 LIB_security = @LIB_security@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@
+MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@
 MAKEINFO = @MAKEINFO@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
 NROFF = @NROFF@
-OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OTP_FALSE = @OTP_FALSE@
+OTP_TRUE = @OTP_TRUE@
 PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
 RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
 STRIP = @STRIP@
 VERSION = @VERSION@
 VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
 WFLAGS = @WFLAGS@
 WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
 WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+X_CFLAGS = @X_CFLAGS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_LIBS = @X_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
 YACC = @YACC@
-dpagaix_CFLAGS = @dpagaix_CFLAGS@
-dpagaix_LDADD = @dpagaix_LDADD@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+ac_ct_RANLIB = @ac_ct_RANLIB@
+ac_ct_STRIP = @ac_ct_STRIP@
+am__leading_dot = @am__leading_dot@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+datadir = @datadir@
+do_roken_rename_FALSE = @do_roken_rename_FALSE@
+do_roken_rename_TRUE = @do_roken_rename_TRUE@
+dpagaix_cflags = @dpagaix_cflags@
+dpagaix_ldadd = @dpagaix_ldadd@
+dpagaix_ldflags = @dpagaix_ldflags@
+el_compat_FALSE = @el_compat_FALSE@
+el_compat_TRUE = @el_compat_TRUE@
+exec_prefix = @exec_prefix@
+have_err_h_FALSE = @have_err_h_FALSE@
+have_err_h_TRUE = @have_err_h_TRUE@
+have_fnmatch_h_FALSE = @have_fnmatch_h_FALSE@
+have_fnmatch_h_TRUE = @have_fnmatch_h_TRUE@
+have_glob_h_FALSE = @have_glob_h_FALSE@
+have_glob_h_TRUE = @have_glob_h_TRUE@
+have_ifaddrs_h_FALSE = @have_ifaddrs_h_FALSE@
+have_ifaddrs_h_TRUE = @have_ifaddrs_h_TRUE@
+have_vis_h_FALSE = @have_vis_h_FALSE@
+have_vis_h_TRUE = @have_vis_h_TRUE@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+includedir = @includedir@
+infodir = @infodir@
 install_sh = @install_sh@
-
-# $KTH: Makefile.am,v 1.16 2000/11/15 22:54:15 assar Exp $
-
-
-# $KTH: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
-
-
-# $KTH: Makefile.am.common,v 1.31 2001/09/01 11:12:18 assar Exp $
-
-
-AUTOMAKE_OPTIONS = foreign no-dependencies 1.4b
-
-SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
-
+libdir = @libdir@
+libexecdir = @libexecdir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+SUFFIXES = .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
 INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
-
+@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME
 AM_CFLAGS = $(WFLAGS)
-
 CP = cp
-
 buildinclude = $(top_builddir)/include
-
-LIB_XauReadAuth = @LIB_XauReadAuth@
-LIB_crypt = @LIB_crypt@
-LIB_dbm_firstkey = @LIB_dbm_firstkey@
-LIB_dbopen = @LIB_dbopen@
-LIB_dlopen = @LIB_dlopen@
-LIB_dn_expand = @LIB_dn_expand@
-LIB_el_init = @LIB_el_init@
 LIB_getattr = @LIB_getattr@
-LIB_gethostbyname = @LIB_gethostbyname@
 LIB_getpwent_r = @LIB_getpwent_r@
-LIB_getpwnam_r = @LIB_getpwnam_r@
-LIB_getsockopt = @LIB_getsockopt@
-LIB_logout = @LIB_logout@
-LIB_logwtmp = @LIB_logwtmp@
 LIB_odm_initialize = @LIB_odm_initialize@
-LIB_openpty = @LIB_openpty@
-LIB_pidfile = @LIB_pidfile@
-LIB_res_search = @LIB_res_search@
 LIB_setpcred = @LIB_setpcred@
-LIB_setsockopt = @LIB_setsockopt@
-LIB_socket = @LIB_socket@
-LIB_syslog = @LIB_syslog@
-LIB_tgetent = @LIB_tgetent@
-
-LIBS = @LIBS@
-
 HESIODLIB = @HESIODLIB@
 HESIODINCLUDE = @HESIODINCLUDE@
-INCLUDE_hesiod = @INCLUDE_hesiod@
-LIB_hesiod = @LIB_hesiod@
-
-INCLUDE_krb4 = @INCLUDE_krb4@
-LIB_krb4 = @LIB_krb4@
-
-INCLUDE_openldap = @INCLUDE_openldap@
-LIB_openldap = @LIB_openldap@
-
-INCLUDE_readline = @INCLUDE_readline@
-LIB_readline = @LIB_readline@
-
-LEXLIB = @LEXLIB@
-
 NROFF_MAN = groff -mandoc -Tascii
-
-@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
-
-@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
-@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
-
-@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
-
-CHECK_LOCAL = $(PROGRAMS)
 
+@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la
+@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la
 SUBDIRS = include lib kuser kdc admin kadmin kpasswd appl doc tools
-
 ACLOCAL_AMFLAGS = -I cf
-
 EXTRA_DIST = Makefile.am.common krb5.conf
-subdir = .
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
-CONFIG_HEADER = ./include/config.h
-CONFIG_CLEAN_FILES = 
-CFLAGS = @CFLAGS@
-COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
-DIST_SOURCES = 
-depcomp = 
-DIST_COMMON =  README ChangeLog Makefile.am Makefile.in NEWS TODO \
-acconfig.h acinclude.m4 aclocal.m4 config.guess config.sub configure \
-configure.in install-sh ltconfig ltmain.sh missing mkinstalldirs
+all: all-recursive
 
-
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-
-GZIP_ENV = --best
-DIST_SUBDIRS =  $(SUBDIRS)
-all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
-$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
-	cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile
-
-Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
-	cd $(top_builddir) \
-	  && CONFIG_FILES=$@ CONFIG_HEADERS= $(SHELL) ./config.status
-
-$(ACLOCAL_M4):  configure.in  acinclude.m4 cf/aix.m4 cf/auth-modules.m4 \
-		cf/broken-getaddrinfo.m4 cf/broken-getnameinfo.m4 \
-		cf/broken-glob.m4 cf/broken-realloc.m4 \
-		cf/broken-snprintf.m4 cf/broken.m4 cf/broken2.m4 \
-		cf/c-attribute.m4 cf/c-function.m4 cf/capabilities.m4 \
-		cf/check-compile-et.m4 cf/check-declaration.m4 \
-		cf/check-getpwnam_r-posix.m4 cf/check-man.m4 \
-		cf/check-netinet-ip-and-tcp.m4 cf/check-type-extra.m4 \
-		cf/check-var.m4 cf/check-x.m4 cf/check-xau.m4 \
-		cf/crypto.m4 cf/db.m4 cf/find-func-no-libs.m4 \
-		cf/find-func-no-libs2.m4 cf/find-func.m4 \
-		cf/find-if-not-broken.m4 cf/grok-type.m4 \
-		cf/have-pragma-weak.m4 cf/have-struct-field.m4 \
-		cf/have-type.m4 cf/have-types.m4 cf/krb-bigendian.m4 \
-		cf/krb-find-db.m4 cf/krb-func-getcwd-broken.m4 \
-		cf/krb-func-getlogin.m4 cf/krb-ipv6.m4 cf/krb-irix.m4 \
-		cf/krb-prog-ln-s.m4 cf/krb-prog-ranlib.m4 \
-		cf/krb-prog-yacc.m4 cf/krb-readline.m4 \
-		cf/krb-struct-spwd.m4 cf/krb-struct-winsize.m4 \
-		cf/krb-sys-aix.m4 cf/krb-sys-nextstep.m4 \
-		cf/krb-version.m4 cf/mips-abi.m4 cf/misc.m4 \
-		cf/need-proto.m4 cf/osfc2.m4 cf/proto-compat.m4 \
-		cf/retsigtype.m4 cf/roken-frag.m4 cf/roken.m4 \
-		cf/shared-libs.m4 cf/test-package.m4 cf/wflags.m4 \
-		cf/with-all.m4
-	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
-
-config.status: $(srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+.SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c
+am--refresh:
+	@:
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      echo ' cd $(srcdir) && $(AUTOMAKE) --foreign  --ignore-deps'; \
+	      cd $(srcdir) && $(AUTOMAKE) --foreign  --ignore-deps \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign  --ignore-deps Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign  --ignore-deps Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    echo ' $(SHELL) ./config.status'; \
+	    $(SHELL) ./config.status;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
 	$(SHELL) ./config.status --recheck
-$(srcdir)/configure: $(srcdir)/configure.in $(ACLOCAL_M4) $(CONFIGURE_DEPENDENCIES)
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
 	cd $(srcdir) && $(AUTOCONF)
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
 
 # This directory's subdirectories are mostly independent; you can cd
 # into them and run `make' without going through this Makefile.
@@ -273,11 +411,8 @@ $(srcdir)/configure: $(srcdir)/configure.in $(ACLOCAL_M4) $(CONFIGURE_DEPENDENCI
 # (1) if the variable is set in `config.status', edit `config.status'
 #     (which will cause the Makefiles to be regenerated when you run `make');
 # (2) otherwise, pass the desired values on the `make' command line.
-
-all-recursive install-data-recursive install-exec-recursive \
-installdirs-recursive install-recursive uninstall-recursive  \
-check-recursive installcheck-recursive info-recursive dvi-recursive:
-	@set fnord $(MAKEFLAGS); amf=$$2; \
+$(RECURSIVE_TARGETS):
+	@set fnord $$MAKEFLAGS; amf=$$2; \
 	dot_seen=no; \
 	target=`echo $@ | sed s/-recursive//`; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
@@ -297,7 +432,7 @@ check-recursive installcheck-recursive info-recursive dvi-recursive:
 
 mostlyclean-recursive clean-recursive distclean-recursive \
 maintainer-clean-recursive:
-	@set fnord $(MAKEFLAGS); amf=$$2; \
+	@set fnord $$MAKEFLAGS; amf=$$2; \
 	dot_seen=no; \
 	case "$@" in \
 	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
@@ -324,199 +459,311 @@ tags-recursive:
 	list='$(SUBDIRS)'; for subdir in $$list; do \
 	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
 	done
-
-tags: TAGS
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
 
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
-	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	mkid -fID $$unique $(LISP)
+	mkid -fID $$unique
+tags: TAGS
 
 TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
 	here=`pwd`; \
+	if (etags --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	else \
+	  include_option=--include; \
+	fi; \
 	list='$(SUBDIRS)'; for subdir in $$list; do \
-   if test "$$subdir" = .; then :; else \
-	    test -f $$subdir/TAGS && tags="$$tags -i $$here/$$subdir/TAGS"; \
-   fi; \
+	  if test "$$subdir" = .; then :; else \
+	    test -f $$subdir/TAGS && \
+	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
 	done; \
-	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
 	  $(AWK) '    { files[$$0] = 1; } \
 	       END { for (i in files) print i; }'`; \
-	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
-	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+	test -z "$(ETAGS_ARGS)$$tags$$unique" \
+	  || $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	     $$tags $$unique
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
 
 GTAGS:
-	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	here=`$(am__cd) $(top_builddir) && pwd` \
 	  && cd $(top_srcdir) \
-	  && gtags -i $$here
+	  && gtags -i $(GTAGS_ARGS) $$here
 
-mostlyclean-tags:
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	$(am__remove_distdir)
+	mkdir $(distdir)
+	$(mkdir_p) $(distdir)/cf
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || mkdir "$(distdir)/$$subdir" \
+	    || exit 1; \
+	    (cd $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="../$(top_distdir)" \
+	        distdir="../$(distdir)/$$subdir" \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+	|| chmod -R a+r $(distdir)
+dist-gzip: distdir
+	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	$(am__remove_distdir)
 
-clean-tags:
+dist-bzip2: distdir
+	$(AMTAR) chof - $(distdir) | bzip2 -9 -c >$(distdir).tar.bz2
+	$(am__remove_distdir)
 
-distclean-tags:
-	-rm -f TAGS ID
+dist-tarZ: distdir
+	$(AMTAR) chof - $(distdir) | compress -c >$(distdir).tar.Z
+	$(am__remove_distdir)
 
-maintainer-clean-tags:
+dist-shar: distdir
+	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
+	$(am__remove_distdir)
 
-distdir = $(PACKAGE)-$(VERSION)
-top_distdir = $(distdir)
+dist-zip: distdir
+	-rm -f $(distdir).zip
+	zip -rq $(distdir).zip $(distdir)
+	$(am__remove_distdir)
 
+dist dist-all: distdir
+	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	$(am__remove_distdir)
 
 # This target untars the dist file and tries a VPATH configuration.  Then
 # it guarantees that the distribution is self-contained by making another
 # tarfile.
 distcheck: dist
-	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
-	GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(AMTAR) xf -
+	case '$(DIST_ARCHIVES)' in \
+	*.tar.gz*) \
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(AMTAR) xf - ;;\
+	*.tar.bz2*) \
+	  bunzip2 -c $(distdir).tar.bz2 | $(AMTAR) xf - ;;\
+	*.tar.Z*) \
+	  uncompress -c $(distdir).tar.Z | $(AMTAR) xf - ;;\
+	*.shar.gz*) \
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | unshar ;;\
+	*.zip*) \
+	  unzip $(distdir).zip ;;\
+	esac
 	chmod -R a-w $(distdir); chmod a+w $(distdir)
-	mkdir $(distdir)/=build
-	mkdir $(distdir)/=inst
+	mkdir $(distdir)/_build
+	mkdir $(distdir)/_inst
 	chmod a-w $(distdir)
-	dc_install_base=`CDPATH=: && cd $(distdir)/=inst && pwd` \
-	  && cd $(distdir)/=build \
-	  && ../configure --srcdir=.. --prefix=$$dc_install_base \
+	dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
+	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
+	  && cd $(distdir)/_build \
+	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	    $(DISTCHECK_CONFIGURE_FLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) \
 	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
 	  && $(MAKE) $(AM_MAKEFLAGS) check \
 	  && $(MAKE) $(AM_MAKEFLAGS) install \
 	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
 	  && $(MAKE) $(AM_MAKEFLAGS) uninstall \
-	  && test `find $$dc_install_base -type f -print | wc -l` -le 1 \
+	  && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
+	        distuninstallcheck \
+	  && chmod -R a-w "$$dc_install_base" \
+	  && ({ \
+	       (cd ../.. && umask 077 && mkdir "$$dc_destdir") \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
+	            distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
+	      } || { rm -rf "$$dc_destdir"; exit 1; }) \
+	  && rm -rf "$$dc_destdir" \
 	  && $(MAKE) $(AM_MAKEFLAGS) dist \
-	  && $(MAKE) $(AM_MAKEFLAGS) distclean \
-	  && rm -f $(distdir).tar.gz \
-	  && test `find . -type f -print | wc -l` -eq 0
-	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
-	@banner="$(distdir).tar.gz is ready for distribution"; \
-	dashes=`echo "$$banner" | sed s/./=/g`; \
-	echo "$$dashes"; \
-	echo "$$banner"; \
-	echo "$$dashes"
-dist: distdir
-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
-	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
-	|| chmod -R a+r $(distdir)
-	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c > $(distdir).tar.gz
-	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
-dist-all: distdir
-	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
-	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
-	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
-	|| chmod -R a+r $(distdir)
-	$(AMTAR) chof - $(distdir) | GZIP=$(GZIP_ENV) gzip -c > $(distdir).tar.gz
-	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
-distdir: $(DISTFILES)
-	-chmod -R a+w $(distdir) > /dev/null 2>&1; rm -rf $(distdir)
-	mkdir $(distdir)
-	@for file in $(DISTFILES); do \
-	  d=$(srcdir); \
-	  if test -d $$d/$$file; then \
-	    cp -pR $$d/$$file $(distdir) \
-	    || exit 1; \
-	  else \
-	    test -f $(distdir)/$$file \
-	    || cp -p $$d/$$file $(distdir)/$$file \
-	    || exit 1; \
-	  fi; \
-	done
-	for subdir in $(SUBDIRS); do \
-	  if test "$$subdir" = .; then :; else \
-	    test -d $(distdir)/$$subdir \
-	    || mkdir $(distdir)/$$subdir \
-	    || exit 1; \
-	    (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir=../$(distdir) distdir=../$(distdir)/$$subdir distdir) \
-	      || exit 1; \
-	  fi; \
-	done
-	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
-info-am:
-info: info-recursive
-dvi-am:
-dvi: dvi-recursive
+	  && rm -rf $(DIST_ARCHIVES) \
+	  && $(MAKE) $(AM_MAKEFLAGS) distcleancheck
+	$(am__remove_distdir)
+	@(echo "$(distdir) archives ready for distribution: "; \
+	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
+	  sed -e '1{h;s/./=/g;p;x;}' -e '$${p;x;}'
+distuninstallcheck:
+	@cd $(distuninstallcheck_dir) \
+	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
+	   || { echo "ERROR: files left after uninstall:" ; \
+	        if test -n "$(DESTDIR)"; then \
+	          echo "  (check DESTDIR support)"; \
+	        fi ; \
+	        $(distuninstallcheck_listfiles) ; \
+	        exit 1; } >&2
+distcleancheck: distclean
+	@if test '$(srcdir)' = . ; then \
+	  echo "ERROR: distcleancheck can only run from a VPATH build" ; \
+	  exit 1 ; \
+	fi
+	@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
+	  || { echo "ERROR: files left in build directory after distclean:" ; \
+	       $(distcleancheck_listfiles) ; \
+	       exit 1; } >&2
 check-am: all-am
 	$(MAKE) $(AM_MAKEFLAGS) check-local
 check: check-recursive
-installcheck-am:
-installcheck: installcheck-recursive
-install-exec-am:
-	@$(NORMAL_INSTALL)
-	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+all-am: Makefile all-local
+installdirs: installdirs-recursive
+installdirs-am:
+install: install-recursive
 install-exec: install-exec-recursive
-
-install-data-am: install-data-local
 install-data: install-data-recursive
+uninstall: uninstall-recursive
 
 install-am: all-am
 	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-install: install-recursive
-uninstall-am:
-uninstall: uninstall-recursive
-all-am: Makefile all-local
-all-redirect: all-recursive
-install-strip:
-	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
-installdirs: installdirs-recursive
-installdirs-am:
-
 
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
 mostlyclean-generic:
 
 clean-generic:
 
 distclean-generic:
-	-rm -f Makefile $(CONFIG_CLEAN_FILES)
-	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+	-rm -f $(CONFIG_CLEAN_FILES)
 
 maintainer-clean-generic:
-	-rm -f Makefile.in
-mostlyclean-am:  mostlyclean-tags mostlyclean-generic
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
 
-mostlyclean: mostlyclean-recursive
+clean-am: clean-generic clean-libtool mostlyclean-am
 
-clean-am:  clean-tags clean-generic mostlyclean-am
+distclean: distclean-recursive
+	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-libtool \
+	distclean-tags
 
-clean: clean-recursive
+dvi: dvi-recursive
 
-distclean-am:  distclean-tags distclean-generic clean-am
-	-rm -f libtool
+dvi-am:
 
-distclean: distclean-recursive
-	-rm -f config.status
+html: html-recursive
 
-maintainer-clean-am:  maintainer-clean-tags maintainer-clean-generic \
-		distclean-am
-	@echo "This command is intended for maintainers to use;"
-	@echo "it deletes files that may require special tools to rebuild."
+info: info-recursive
+
+info-am:
+
+install-data-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
+
+install-exec-am:
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+
+install-info: install-info-recursive
+
+install-man:
+
+installcheck-am:
 
 maintainer-clean: maintainer-clean-recursive
-	-rm -f config.status
-
-.PHONY: install-recursive uninstall-recursive install-data-recursive \
-uninstall-data-recursive install-exec-recursive \
-uninstall-exec-recursive installdirs-recursive uninstalldirs-recursive \
-all-recursive check-recursive installcheck-recursive info-recursive \
-dvi-recursive mostlyclean-recursive distclean-recursive clean-recursive \
-maintainer-clean-recursive tags tags-recursive mostlyclean-tags \
-distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
-dvi-am dvi check-local check check-am installcheck-am installcheck \
-install-exec-am install-exec install-data-local install-data-am \
-install-data install-am install uninstall-am uninstall all-local \
-all-redirect all-am all install-strip installdirs-am installdirs \
-mostlyclean-generic distclean-generic clean-generic \
-maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+	-rm -rf $(top_srcdir)/autom4te.cache
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-info-am
+
+uninstall-info: uninstall-info-recursive
+
+.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am all-local \
+	am--refresh check check-am check-local clean clean-generic \
+	clean-libtool clean-recursive ctags ctags-recursive dist \
+	dist-all dist-bzip2 dist-gzip dist-shar dist-tarZ dist-zip \
+	distcheck distclean distclean-generic distclean-libtool \
+	distclean-recursive distclean-tags distcleancheck distdir \
+	distuninstallcheck dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am install-man \
+	install-strip installcheck installcheck-am installdirs \
+	installdirs-am maintainer-clean maintainer-clean-generic \
+	maintainer-clean-recursive mostlyclean mostlyclean-generic \
+	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am uninstall-info-am
 
 
 install-suid-programs:
@@ -532,7 +779,7 @@ install-suid-programs:
 install-exec-hook: install-suid-programs
 
 install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
-	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	@foo='$(include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \
 	for f in $$foo; do \
 		f=`basename $$f`; \
 		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
@@ -545,6 +792,36 @@ install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
 	done
 
 all-local: install-build-headers
+
+check-local::
+	@if test '$(CHECK_LOCAL)'; then \
+	  foo='$(CHECK_LOCAL)'; else \
+	  foo='$(PROGRAMS)'; fi; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
 #NROFF_MAN = nroff -man
 .1.cat1:
 	$(NROFF_MAN) $< > $@
@@ -612,41 +889,12 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 install-cat-mans:
 	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
-install-data-local: install-cat-mans
+install-data-hook: install-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
 .et.c:
 	$(COMPILE_ET) $<
-
-.x.c:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@
-
-check-local::
-	@foo='$(CHECK_LOCAL)'; \
-	  if test "$$foo"; then \
-	  failed=0; all=0; \
-	  for i in $$foo; do \
-	    all=`expr $$all + 1`; \
-	    if ./$$i --version > /dev/null 2>&1; then \
-	      echo "PASS: $$i"; \
-	    else \
-	      echo "FAIL: $$i"; \
-	      failed=`expr $$failed + 1`; \
-	    fi; \
-	  done; \
-	  if test "$$failed" -eq 0; then \
-	    banner="All $$all tests passed"; \
-	  else \
-	    banner="$$failed of $$all tests failed"; \
-	  fi; \
-	  dashes=`echo "$$banner" | sed s/./=/g`; \
-	  echo "$$dashes"; \
-	  echo "$$banner"; \
-	  echo "$$dashes"; \
-	  test "$$failed" -eq 0; \
-	fi
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/kerberosV/src/NEWS b/kerberosV/src/NEWS
index 1e0ccc015b8..262038b26ee 100644
--- a/kerberosV/src/NEWS
+++ b/kerberosV/src/NEWS
@@ -1,3 +1,94 @@
+Changes in release 0.6.3
+
+ * fix vulnerabilities in ftpd
+
+ * support for linux AFS /proc "syscalls"
+
+ * support for RFC3244 (Windows 2000 Kerberos Change/Set Password) in
+   kpasswdd
+
+ * fix possible KDC denial of service
+
+ * bug fixes
+
+Changes in release 0.6.2
+
+ * Fix possible buffer overrun in v4 kadmin (which now defaults to off)
+
+Changes in release 0.6.1
+
+ * Fixed ARCFOUR suppport
+
+ * Cross realm vulnerability
+
+ * kdc: fix denial of service attack
+
+ * kdc: stop clients from renewing tickets into the future
+
+ * bug fixes
+	
+Changes in release 0.6
+
+* The DES3 GSS-API mechanism has been changed to inter-operate with
+  other GSSAPI implementations. See man page for gssapi(3) how to turn
+  on generation of correct MIC messages. Next major release of heimdal 
+  will generate correct MIC by default.
+
+* More complete GSS-API support
+
+* Better AFS support: kdc (524) supports 2b; 524 in kdc and AFS
+  support in applications no longer requires Kerberos 4 libs
+
+* Kerberos 4 support in kdc defaults to turned off (includes ka and 524)
+
+* other bug fixes
+
+Changes in release 0.5.2
+
+ * kdc: add option for disabling v4 cross-realm (defaults to off)
+
+ * bug fixes
+
+Changes in release 0.5.1
+
+ * kadmind: fix remote exploit
+
+ * kadmind: add option to disable kerberos 4
+
+ * kdc: make sure kaserver token life is positive
+
+ * telnet: use the session key if there is no subkey
+
+ * fix EPSV parsing in ftp
+
+ * other bug fixes
+
+Changes in release 0.5
+
+ * add --detach option to kdc
+
+ * allow setting forward and forwardable option in telnet from
+   .telnetrc, with override from command line
+
+ * accept addresses with or without ports in krb5_rd_cred
+
+ * make it work with modern openssl
+
+ * use our own string2key function even with openssl (that handles weak
+   keys incorrectly)
+
+ * more system-specific requirements in login
+
+ * do not use getlogin() to determine root in su
+
+ * telnet: abort if telnetd does not support encryption
+
+ * update autoconf to 2.53
+
+ * update config.guess, config.sub
+
+ * other bug fixes
+
 Changes in release 0.4e
 
  * improve libcrypto and database autoconf tests
diff --git a/kerberosV/src/TODO b/kerberosV/src/TODO
index a5fd1e2ea0e..159101e065a 100644
--- a/kerberosV/src/TODO
+++ b/kerberosV/src/TODO
@@ -1,6 +1,6 @@
 -*- indented-text -*-
 
-$KTH: TODO,v 1.66 2001/08/09 08:43:42 assar Exp $
+$KTH: TODO,v 1.67 2003/03/20 20:00:53 lha Exp $
 
 * configure
 
@@ -48,12 +48,6 @@ make everything work with openssl and make prototypes compatible
 
 ** lib/gssapi
 
-process_context_token, add_cred, inquire_cred_by_mech,
-inquire_names_for_mech, and
-inquire_mechs_for_name not implemented.
-
-set minor_status in all functions
-
 anonymous credentials not implemented
 
 add rc4
diff --git a/kerberosV/src/TODO-1.0 b/kerberosV/src/TODO-1.0
index ade5a79639e..a754b299c14 100644
--- a/kerberosV/src/TODO-1.0
+++ b/kerberosV/src/TODO-1.0
@@ -1,3 +1,5 @@
+$KTH: TODO-1.0,v 1.3 2001/09/27 16:27:30 assar Exp $
+
 - sort out hprop:ing
 - figure out hostname case sensitive issues
 - verify_user: handle non-secure verification failing because of
@@ -6,7 +8,3 @@
 - PAM?
 - kadmin: make it happy with reading and parsing kdc.conf
 - handle readline hiding in readline/readline.h
-- berkeley db circus
-- v4->v5 conversion in kdc
-
-include TODO-shadow
diff --git a/kerberosV/src/admin/get.c b/kerberosV/src/admin/get.c
index 7203b8d15ac..2fb091f2f94 100644
--- a/kerberosV/src/admin/get.c
+++ b/kerberosV/src/admin/get.c
@@ -33,7 +33,7 @@
 
 #include "ktutil_locl.h"
 
-RCSID("$KTH: get.c,v 1.22 2003/01/16 19:03:23 lha Exp $");
+RCSID("$KTH: get.c,v 1.22.2.1 2004/06/21 10:55:46 lha Exp $");
 
 static void*
 open_kadmin_connection(char *principal,
@@ -170,6 +170,10 @@ kt_get(int argc, char **argv)
 	krb5_keytab_entry entry;
 
 	ret = krb5_parse_name(context, argv[i], &princ_ent);
+	if (ret) {
+	    krb5_warn(context, ret, "can't parse principal %s", argv[i]);
+	    continue;
+	}
 	memset(&princ, 0, sizeof(princ));
 	princ.principal = princ_ent;
 	mask |= KADM5_PRINCIPAL;
diff --git a/kerberosV/src/appl/afsutil/ChangeLog b/kerberosV/src/appl/afsutil/ChangeLog
index a74403bd283..c3f5605e2d9 100644
--- a/kerberosV/src/appl/afsutil/ChangeLog
+++ b/kerberosV/src/appl/afsutil/ChangeLog
@@ -1,3 +1,8 @@
+2003-08-25  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.c: 1.22->1.23: (do_afslog): is cell is unset, set it
+	"<default cell>" for error printing
+	
 2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* afslog.c: 1.21->1.22: (log_func): drop the error number
diff --git a/kerberosV/src/appl/afsutil/afslog.cat1 b/kerberosV/src/appl/afsutil/afslog.cat1
new file mode 100644
index 00000000000..d662b4eadfe
--- /dev/null
+++ b/kerberosV/src/appl/afsutil/afslog.cat1
@@ -0,0 +1,60 @@
+
+AFSLOG(1)                    UNIX Reference Manual                   AFSLOG(1)
+
+NNAAMMEE
+     aaffsslloogg - obtain AFS tokens
+
+SSYYNNOOPPSSIISS
+     aaffsslloogg [--cc _c_e_l_l | ----cceellll==_c_e_l_l] [--pp _p_a_t_h | ----ffiillee==_p_a_t_h] [--kk _r_e_a_l_m |
+     ----rreeaallmm==_r_e_a_l_m] [----nnoo--vv44] [----nnoo--vv55] [--uu | ----uunnlloogg] [--vv | ----vveerrbboossee]
+     [----vveerrssiioonn] [--hh | ----hheellpp] [_c_e_l_l | _p_a_t_h _._._.]
+
+DDEESSCCRRIIPPTTIIOONN
+     aaffsslloogg obtains AFS tokens for a number of cells. What cells to get tokens
+     for can either be specified as an explicit list, as file paths to get to-
+     kens for, or be left unspecified, in which case aaffsslloogg will use whatever
+     magic krb_afslog(3) decides upon.
+
+     Supported options:
+
+     --cc _c_e_l_l_, ----cceellll==_c_e_l_l
+             This specified one or more cell names to get tokens for.
+
+     --pp _p_a_t_h, ----ffiillee==_p_a_t_h
+             This specified one or more file paths for which tokens should be
+             obtained.
+
+     --kk _r_e_a_l_m, ----rreeaallmm==_r_e_a_l_m
+             This is the Kerberos realm the AFS servers live in, this should
+             normally not be specified.
+
+     ----nnoo--vv44
+             This makes aaffsslloogg not try using Kerberos 4.
+
+     ----nnoo--vv55
+             This makes aaffsslloogg not try using Kerberos 5.
+
+     --uu, ----uunnlloogg
+             Destroy tokens instead of obtaining new. If this is specified,
+             all other options are ignored (except for ----hheellpp and ----vveerrssiioonn).
+
+     --vv, ----vveerrbboossee
+             Adds more verbosity for what is actually going on.
+     Instead of using --cc and --pp, you may also pass a list of cells and file
+     paths after any other options. These arguments are considered files if
+     they are either the strings ``.'' or ``..'' or they contain a slash, or
+     if there exists a file by that name.
+
+EEXXAAMMPPLLEESS
+     Assuming that there is no file called ``openafs.org'' in the current di-
+     rectory, and that _/_a_f_s_/_o_p_e_n_a_f_s_._o_r_g points to that cell, the follwing
+     should be identical:
+
+           $ afslog -c openafs.org
+           $ afslog openafs.org
+           $ afslog /afs/openafs.org/some/file
+
+SSEEEE AALLSSOO
+     krb_afslog(3)
+
+ HEIMDAL                       November 26, 2002                             1
diff --git a/kerberosV/src/appl/login/login.1 b/kerberosV/src/appl/login/login.1
new file mode 100644
index 00000000000..707cb290d42
--- /dev/null
+++ b/kerberosV/src/appl/login/login.1
@@ -0,0 +1,226 @@
+.\" $KTH: login.1,v 1.1 2003/03/24 16:15:12 joda Exp $
+.\" 
+.Dd March 24, 2003
+.Dt LOGIN 1
+.Os HEIMDAL
+.Sh NAME
+.Nm login
+.Nd
+authenticate a user and start new session
+.Sh SYNOPSIS
+.Nm
+.Op Fl fp
+.Op Fl a Ar level
+.Op Fl h Ar hostname
+.Ar [username]
+.Sh DESCRIPTION
+This manual page documents  the 
+.Nm login 
+program distributed with the Heimdal Kerberos 5 implementation, it may
+differ in important ways from your system version.
+.Pp
+The
+.Nm login
+programs logs users into the system. It is intended to be run by
+system daemons like
+.Xr getty 8 
+or
+.Xr telnetd 8 .
+If you are already logged in, but want to change to another user, you
+should use
+.Xr su 1 .
+.Pp
+A username can be given on the command line, else one will be prompted
+for.
+.Pp
+A password is required to login, unless the 
+.Fl f
+option is given (indicating that the calling program has already done
+proper authentication). With
+.Fl f
+the user will be logged in without further questions. 
+.Pp
+For password authentication Kerberos 5, Kerberos 4 (if compiled in),
+OTP (if compiled in) and local
+.No ( Pa /etc/passwd ) 
+passwords are supported. OTP will be used if the the user is
+registered to use it, and
+.Nm login
+is given the option
+.Fl a Li otp .
+When using OTP, a challenge is shown to the user.
+.Pp
+Further options are:
+.Bl -tag -width Ds
+.It Fl a Ar string
+Which authentication mode to use, the only supported value is
+currently
+.Dq otp .
+.It Fl f
+Indicates that the user is already authenticated. This happens, for
+instance, when login is started by telnetd, and the user has proved
+authentic via Kerberos.
+.It Fl h Ar hostname
+Indicates which host the user is logging in from. This is passed from
+telnetd, and is entered into the login database.
+.It Fl p
+This tells
+.Nm login
+to preserve all environment variables. If not given, only the
+.Dv TERM
+and
+.Dv TZ
+variables are preserved. It could be a security risk to pass random
+variables to 
+.Nm login
+or the user shell, so the calling daemon should make sure it only
+passes
+.Dq safe
+variables.
+.El
+.Pp
+The process of logging user in proceeds as follows.
+.Pp
+First a check is made that logins are allowed at all. This usually
+means checking
+.Pa /etc/nologin .
+If it exists, and the user trying to login is not root, the contents
+is printed, and then login exits.
+.Pp
+Then various system parameters are set up, like changing the owner of
+the tty to the user, setting up signals, setting the group list, and
+user and group id. Also various machine specific tasks are performed.
+.Pp
+Next 
+.Nm login
+changes to the users home directory, or if that fails, to 
+.Pa / .
+The environment is setup, by adding some required variables (such as
+.Dv PATH ) , 
+and also authentication related ones (such as
+.Dv KRB5CCNAME ) .
+If an environment file exists
+.No ( Pa /etc/environment ) ,
+variables are set according to
+it.
+.Pp
+If one or more login message files are configured, their contents is
+printed to the terminal.
+.Pp
+If a login time command is configured, it is executed. A logout time
+command can also be configured, which makes 
+.Nm login
+fork, and wait for the user shell to exit, and then run the command.
+This can be used to clean up user credentials.
+.Pp
+Finally, the user's shell is executed. If the user logging in is root,
+and root's login shell does not exist, a default shell (usually 
+.Pa /bin/sh )
+is also tried before giving up.
+.Sh ENVIRONMENT
+These environment variables are set by login (not including ones set by 
+.Pa /etc/environment ) :
+.Pp
+.Bl -tag -compact -width USERXXLOGNAME
+.It Dv PATH
+the default system path
+.It Dv HOME
+the user's home directory (or possibly 
+.Pa / )
+.It Dv USER , Dv LOGNAME
+both set to the username
+.It Dv SHELL
+the user's shell
+.It Dv TERM , Dv TZ
+set to whatever is passed to 
+.Nm login
+.It Dv KRB5CCNAME
+if the password is verified via Kerberos 5, this will point to the
+credentials cache file
+.It Dv KRBTKFILE
+if the password is verified via Kerberos 4, this will point to the
+ticket file
+.El
+.Sh FILES
+.Bl -tag -compact -width Ds
+.It Pa /etc/environment
+Contains a set of environment variables that should be set in addition
+to the ones above. It should contain sh-style assignments like 
+.Dq VARIABLE=value .
+Note that they are not parsed the way a shell would. No variable
+expansion is performed, and all strings are literal, and quotation
+marks should not be used. Everything after a hash mark is considered a
+comment. The following are all different (the last will set the
+variable
+.Dv BAR ,
+not
+.Dv FOO ) .
+.Bd -literal -offset indent
+FOO=this is a string
+FOO="this is a string"
+BAR= FOO='this is a string'
+.Ed
+.It Pa /etc/login.access
+See 
+.Xr login.access 5 .
+.It Pa /etc/login.conf
+This is a termcap style configuration file, that contains various
+settings used by
+.Nm login .
+Currently only the
+.Dq default
+capability record is used. The possible capability strings include:
+.Pp
+.Bl -tag -compact -width Ds
+.It Li environment
+This is a comma separated list of environment files that are read in
+the order specified. If this is missing the default
+.Pa /etc/environment
+is used.
+.It Li login_program
+This program will be executed just before the user's shell is started.
+It will be called without arguments.
+.It Li logout_program
+This program will be executed just after the user's shell has
+terminated. It will be called without arguments. This program will be
+the parent process of the spawned shell.
+.It Li motd
+A comma separated list of text files that will be printed to the
+user's terminal before starting the shell. The string
+.Li welcome
+works similarly, but points to a single file.
+.El
+.It Pa /etc/nologin
+If it exists, login is denied to all but root. The contents of this
+file is printed before login exits.
+.El
+.Pp
+Other
+.Nm login
+programs typically print all sorts of information by default, such as
+last time you logged in, if you have mail, and system message files.
+This version of
+.Nm login
+does not, so there is no reason for 
+.Pa .hushlogin
+files or similar. We feel that these tasks are best left to the user's
+shell, but the 
+.Li login_program
+facility allows for a shell independent solution, if that is desired.
+.Sh EXAMPLES
+A 
+.Pa login.conf
+file could look like:
+.Bd -literal -offset indent
+default:\\
+	:motd=/etc/motd,/etc/motd.local:
+.Ed
+.Sh SEE ALSO
+.Xr su 1 ,
+.Xr login.access 5 ,
+.Xr getty 8 ,
+.Xr telnetd 8
+.Sh AUTHORS
+This login program was written for the Heimdal Kerberos 5
+implementation. The login.access code was written by Wietse Venema.
+.\".Sh BUGS
diff --git a/kerberosV/src/appl/login/login.access.5 b/kerberosV/src/appl/login/login.access.5
new file mode 100644
index 00000000000..38cb71facb0
--- /dev/null
+++ b/kerberosV/src/appl/login/login.access.5
@@ -0,0 +1,56 @@
+.\" $KTH: login.access.5,v 1.1 2003/03/24 15:49:30 joda Exp $
+.\" 
+.Dd March 21, 2003
+.Dt LOGIN.ACCESS 5
+.Os HEIMDAL
+.Sh NAME
+.Nm login.access
+.Nd
+login access control table
+.Sh DESCRIPTION
+The
+.Nm login.access
+file specifies on which ttys or from which hosts certain users are
+allowed to login.
+.Pp
+At login, the
+.Pa /etc/login.access 
+file is checked for the first entry that matches a specific user/host
+or user/tty combination. That entry can either allow or deny login
+access to that user.
+.Pp
+Each entry have three fields separated by colon:
+.Bl -bullet
+.It
+The first field indicates the permission given if the entry matches.
+It can be either
+.Dq +
+(allow access)
+or
+.Dq -
+(deny access) .
+.It
+The second field is a comma separated list of users or groups for
+which the current entry applies. NIS netgroups can used (if
+configured) if preceeded by @. The magic string ALL matches all users.
+A group will match if the user is a member of that group, or it is the
+user's primary group.
+.It
+The third field is a list of ttys, or network names. A network name
+can be either a hostname, a domain (indicated by a starting period),
+or a netgroup. As with the user list, ALL matches anything. LOCAL
+matches a string not containing a period.
+.El
+.Pp
+If the string EXCEPT is found in either the user or from list, the
+rest of the list are exceptions to the list before EXCEPT.
+.Sh BUGS
+If there's a user and a group with the same name, there is no way to
+make the group match if the user also matches.
+.Sh SEE ALSO
+.Xr login 1
+.Sh AUTHORS
+The
+.Fn login_access
+function was written by 
+Wietse Venema. This manual page was written for Heimdal.
diff --git a/kerberosV/src/appl/login/login.access.cat5 b/kerberosV/src/appl/login/login.access.cat5
new file mode 100644
index 00000000000..8d53505c5b2
--- /dev/null
+++ b/kerberosV/src/appl/login/login.access.cat5
@@ -0,0 +1,45 @@
+
+LOGIN.ACCESS(5)            UNIX Programmer's Manual            LOGIN.ACCESS(5)
+
+NNAAMMEE
+     llooggiinn..aacccceessss - login access control table
+
+DDEESSCCRRIIPPTTIIOONN
+     The llooggiinn..aacccceessss file specifies on which ttys or from which hosts certain
+     users are allowed to login.
+
+     At login, the _/_e_t_c_/_l_o_g_i_n_._a_c_c_e_s_s file is checked for the first entry that
+     matches a specific user/host or user/tty combination. That entry can ei-
+     ther allow or deny login access to that user.
+
+     Each entry have three fields separated by colon:
+
+     ++oo   The first field indicates the permission given if the entry matches.
+         It can be either ``+'' (allow access) or ``-'' (deny access) .
+
+     ++oo   The second field is a comma separated list of users or groups for
+         which the current entry applies. NIS netgroups can used (if config-
+         ured) if preceeded by @. The magic string ALL matches all users.  A
+         group will match if the user is a member of that group, or it is the
+         user's primary group.
+
+     ++oo   The third field is a list of ttys, or network names. A network name
+         can be either a hostname, a domain (indicated by a starting period),
+         or a netgroup. As with the user list, ALL matches anything. LOCAL
+         matches a string not containing a period.
+
+     If the string EXCEPT is found in either the user or from list, the rest
+     of the list are exceptions to the list before EXCEPT.
+
+BBUUGGSS
+     If there's a user and a group with the same name, there is no way to make
+     the group match if the user also matches.
+
+SSEEEE AALLSSOO
+     login(1)
+
+AAUUTTHHOORRSS
+     The llooggiinn__aacccceessss() function was written by Wietse Venema. This manual
+     page was written for Heimdal.
+
+ HEIMDAL                        March 21, 2003                               1
diff --git a/kerberosV/src/appl/login/login.cat1 b/kerberosV/src/appl/login/login.cat1
new file mode 100644
index 00000000000..21ca2a53d07
--- /dev/null
+++ b/kerberosV/src/appl/login/login.cat1
@@ -0,0 +1,153 @@
+
+LOGIN(1)                     UNIX Reference Manual                    LOGIN(1)
+
+NNAAMMEE
+     llooggiinn - authenticate a user and start new session
+
+SSYYNNOOPPSSIISS
+     llooggiinn [--ffpp] [--aa _l_e_v_e_l] [--hh _h_o_s_t_n_a_m_e] _[_u_s_e_r_n_a_m_e_]
+
+DDEESSCCRRIIPPTTIIOONN
+     This manual page documents  the llooggiinn program distributed with the Heim-
+     dal Kerberos 5 implementation, it may differ in important ways from your
+     system version.
+
+     The llooggiinn programs logs users into the system. It is intended to be run
+     by system daemons like getty(8) or telnetd(8).  If you are already logged
+     in, but want to change to another user, you should use su(1).
+
+     A username can be given on the command line, else one will be prompted
+     for.
+
+     A password is required to login, unless the --ff option is given (indicat-
+     ing that the calling program has already done proper authentication).
+     With --ff the user will be logged in without further questions.
+
+     For password authentication Kerberos 5, Kerberos 4 (if compiled in), OTP
+     (if compiled in) and local (_/_e_t_c_/_p_a_s_s_w_d) passwords are supported. OTP
+     will be used if the the user is registered to use it, and llooggiinn is given
+     the option --aa otp. When using OTP, a challenge is shown to the user.
+
+     Further options are:
+
+     --aa _s_t_r_i_n_g
+             Which authentication mode to use, the only supported value is
+             currently ``otp''.
+
+     --ff      Indicates that the user is already authenticated. This happens,
+             for instance, when login is started by telnetd, and the user has
+             proved authentic via Kerberos.
+
+     --hh _h_o_s_t_n_a_m_e
+             Indicates which host the user is logging in from. This is passed
+             from telnetd, and is entered into the login database.
+
+     --pp      This tells llooggiinn to preserve all environment variables. If not
+             given, only the TERM and TZ variables are preserved. It could be
+             a security risk to pass random variables to llooggiinn or the user
+             shell, so the calling daemon should make sure it only passes
+             ``safe'' variables.
+
+     The process of logging user in proceeds as follows.
+
+     First a check is made that logins are allowed at all. This usually means
+     checking _/_e_t_c_/_n_o_l_o_g_i_n. If it exists, and the user trying to login is not
+     root, the contents is printed, and then login exits.
+
+     Then various system parameters are set up, like changing the owner of the
+     tty to the user, setting up signals, setting the group list, and user and
+     group id. Also various machine specific tasks are performed.
+
+     Next llooggiinn changes to the users home directory, or if that fails, to _/.
+     The environment is setup, by adding some required variables (such as
+     PATH), and also authentication related ones (such as KRB5CCNAME). If an
+     environment file exists (_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t), variables are set according
+     to it.
+
+     If one or more login message files are configured, their contents is
+     printed to the terminal.
+
+     If a login time command is configured, it is executed. A logout time com-
+     mand can also be configured, which makes llooggiinn fork, and wait for the us-
+     er shell to exit, and then run the command.  This can be used to clean up
+     user credentials.
+
+     Finally, the user's shell is executed. If the user logging in is root,
+     and root's login shell does not exist, a default shell (usually _/_b_i_n_/_s_h)
+     is also tried before giving up.
+
+EENNVVIIRROONNMMEENNTT
+     These environment variables are set by login (not including ones set by
+     _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t):
+
+     PATH           the default system path
+     HOME           the user's home directory (or possibly _/)
+     USER, LOGNAME  both set to the username
+     SHELL          the user's shell
+     TERM, TZ       set to whatever is passed to llooggiinn
+     KRB5CCNAME     if the password is verified via Kerberos 5, this will
+                    point to the credentials cache file
+     KRBTKFILE      if the password is verified via Kerberos 4, this will
+                    point to the ticket file
+
+FFIILLEESS
+     /etc/environment
+             Contains a set of environment variables that should be set in ad-
+             dition to the ones above. It should contain sh-style assignments
+             like ``VARIABLE=value''. Note that they are not parsed the way a
+             shell would. No variable expansion is performed, and all strings
+             are literal, and quotation marks should not be used. Everything
+             after a hash mark is considered a comment. The following are all
+             different (the last will set the variable BAR, not FOO).
+
+                   FOO=this is a string
+                   FOO="this is a string"
+                   BAR= FOO='this is a string'
+     /etc/login.access
+             See login.access(5).
+     /etc/login.conf
+             This is a termcap style configuration file, that contains various
+             settings used by llooggiinn. Currently only the ``default'' capability
+             record is used. The possible capability strings include:
+
+             environment
+                     This is a comma separated list of environment files that
+                     are read in the order specified. If this is missing the
+                     default _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t is used.
+             login_program
+                     This program will be executed just before the user's
+                     shell is started.  It will be called without arguments.
+             logout_program
+                     This program will be executed just after the user's shell
+                     has terminated. It will be called without arguments. This
+                     program will be the parent process of the spawned shell.
+             motd    A comma separated list of text files that will be printed
+                     to the user's terminal before starting the shell. The
+                     string welcome works similarly, but points to a single
+                     file.
+     /etc/nologin
+             If it exists, login is denied to all but root. The contents of
+             this file is printed before login exits.
+
+
+     Other llooggiinn programs typically print all sorts of information by default,
+     such as last time you logged in, if you have mail, and system message
+     files.  This version of llooggiinn does not, so there is no reason for
+     _._h_u_s_h_l_o_g_i_n files or similar. We feel that these tasks are best left to
+     the user's shell, but the login_program facility allows for a shell inde-
+     pendent solution, if that is desired.
+
+EEXXAAMMPPLLEESS
+     A _l_o_g_i_n_._c_o_n_f file could look like:
+
+           default:\
+                   :motd=/etc/motd,/etc/motd.local:
+
+SSEEEE AALLSSOO
+     su(1),  login.access(5),  getty(8),  telnetd(8)
+
+AAUUTTHHOORRSS
+     This login program was written for the Heimdal Kerberos 5 implementation.
+     The login.access code was written by Wietse Venema.
+
+ HEIMDAL                        March 24, 2003                               3
diff --git a/kerberosV/src/appl/popper/popper.cat8 b/kerberosV/src/appl/popper/popper.cat8
new file mode 100644
index 00000000000..f2f3ebfc1d6
--- /dev/null
+++ b/kerberosV/src/appl/popper/popper.cat8
@@ -0,0 +1,54 @@
+
+POPPER(8)                UNIX System Manager's Manual                POPPER(8)
+
+NNAAMMEE
+     ppooppppeerr - POP3 server
+
+SSYYNNOOPPSSIISS
+     ppooppppeerr [--kk] [--aa _n_o_n_e|otp] [--tt _f_i_l_e] [--TT _s_e_c_o_n_d_s] [--dd] [--ii] [--pp _p_o_r_t]
+     [----aaddddrreessss--lloogg==_f_i_l_e]
+
+DDEESSCCRRIIPPTTIIOONN
+     ppooppppeerr serves mail via the Post Office Protocol.  Supported options in-
+     clude:
+
+     --aa _n_o_n_e|otp, ----aauutthh--mmooddee==_n_o_n_e|otp
+             tells ppooppppeerr what authentication modes are acceptable, passing
+             _o_t_p disables clear text passwords. Otp doesn't disable Kerberos
+             authentication, only cleartext passwords.
+
+     ----aaddddrreessss--lloogg==_f_i_l_e
+             logs the addresses of all clients to the specified file
+
+     --dd, ----ddeebbuugg
+             enables more verbose log messages
+
+     --ii, ----iinntteerraaccttiivvee
+             when not started by inetd, this flag tells ppooppppeerr that it has to
+             create a socket by itself
+
+     --kk, ----kkeerrbbeerrooss
+             tells ppooppppeerr to use the Kerberos for authentication.
+
+     --pp _p_o_r_t, ----ppoorrtt==_p_o_r_t
+             port to listen to, in combination with --ii
+
+     --tt _f_i_l_e, ----ttrraaccee--ffiillee==_f_i_l_e
+             trace all commands to file
+
+     --TT _s_e_c_o_n_d_s, ----ttiimmeeoouutt==_s_e_c_o_n_d_s
+             set timeout to something other than the default of 120 seconds
+
+SSEEEE AALLSSOO
+     push(8),  movemail(8)
+
+SSTTAANNDDAARRDDSS
+     RFC1939 (Post Office Protocol - Version 3)
+
+AAUUTTHHOORRSS
+     The server was initially developed at the University of California,
+     Berkeley.
+
+     Many changes have been made as part of the KTH Kerberos distributions.
+
+ HEIMDAL                        April 16, 2003                               1
diff --git a/kerberosV/src/appl/rcp/rcp.1 b/kerberosV/src/appl/rcp/rcp.1
new file mode 100644
index 00000000000..5bd0a6b4186
--- /dev/null
+++ b/kerberosV/src/appl/rcp/rcp.1
@@ -0,0 +1,67 @@
+.\" $KTH: rcp.1,v 1.2 2003/04/16 12:20:43 joda Exp $
+.\"
+.Dd April 16, 2003
+.Dt RCP 1
+.Os HEIMDAL
+.Sh NAME
+.Nm rcp
+.Nd
+copy file to and from remote machines
+.Sh SYNOPSIS
+.Nm rcp
+.Op Fl 45FKpxz
+.Op Fl P Ar port
+.Ar file1 file2
+.Nm rcp
+.Op Fl 45FKprxz
+.Op Fl P Ar port
+.Ar file... directory
+.Sh DESCRIPTION
+.Nm rcp
+copies files between machines. Each file argument is either a remote file name of the form 
+.Dq rname@rhost:path
+or a local file (containing no colon or with a slash before the first
+colon).
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl 4 , 
+.Fl 5 , 
+.Fl K , 
+.Fl F , 
+.Fl x , 
+.Fl z
+.Xc
+These options are passed on to
+.Xr rsh 1 .
+.It Fl P Ar port
+This will pass the option
+.Fl p Ar port
+to 
+.Xr rsh 1 .
+.It Fl p
+Preserve file permissions.
+.It Fl r
+Copy source directories recursively.
+.El
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.Sh DIAGNOSTICS
+.Nm rcp
+is implemented as a protocol on top of
+.Xr rsh 1 ,
+and thus requires a working rsh. If you intend to use Kerberos
+authentication, rsh needs to be Kerberos aware, else you may see more
+or less strange errors, such as "login incorrect", or "lost
+connection".
+.\".Sh SEE ALSO
+.\".Sh STANDARDS
+.Sh HISTORY
+The 
+.Nm rcp
+utility first appeared in 4.2BSD. This version is derived from
+4.3BSD-Reno.
+.\".Sh AUTHORS
+.\".Sh BUGS
diff --git a/kerberosV/src/appl/rsh/rsh.cat1 b/kerberosV/src/appl/rsh/rsh.cat1
new file mode 100644
index 00000000000..e6d46ff0d4c
--- /dev/null
+++ b/kerberosV/src/appl/rsh/rsh.cat1
@@ -0,0 +1,130 @@
+
+RSH(1)                       UNIX Reference Manual                      RSH(1)
+
+NNAAMMEE
+     rrsshh - remote shell
+
+SSYYNNOOPPSSIISS
+     rrsshh [--4455FFGGKKddeeffnnuuxxzz] [--UU _s_t_r_i_n_g] [--pp _p_o_r_t] [--ll _u_s_e_r_n_a_m_e] [--PP _N_|_O] _h_o_s_t
+     _[_c_o_m_m_a_n_d_]
+
+DDEESSCCRRIIPPTTIIOONN
+     rrsshh authenticates to the rshd(8) daemon on the remote _h_o_s_t, and then exe-
+     cutes the specified _c_o_m_m_a_n_d.
+
+     rrsshh copies its standard input to the remote command, and the standard
+     output and error of the remote command to its own.
+
+     Valid options are:
+
+     --44, ----kkrrbb44
+             The --44 option requests Kerberos 4 authentication. Normally all
+             supported authentication mechanisms will be tried, but in some
+             cases more explicit control is desired.
+
+     --55, ----kkrrbb55
+             The --55 option requests Kerberos 5 authentication. This is analo-
+             gous to the --44 option.
+
+     --KK, ----bbrrookkeenn
+             The --KK option turns off all Kerberos authentication. The long
+             name implies that this is more or less totally unsecure. The se-
+             curity in this mode relies on reserved ports, which is not very
+             secure.
+
+     --nn, ----nnoo--iinnppuutt
+             The --nn option directs the input from the _/_d_e_v_/_n_u_l_l device (see
+             the _B_U_G_S section of this manual page).
+
+     --ee, ----nnoo--ssttddeerrrr
+             Don't use a separate socket for the stderr stream. This can be
+             necessary if rsh-ing through a NAT bridge.
+
+     --xx, ----eennccrryypptt
+             The --xx option enables encryption for all data exchange. This is
+             only valid for Kerberos authenticated connections (see the _B_U_G_S
+             section for limitations).
+
+     --zz      The opposite of --xx. This is the default, but encryption can be
+             enabled when using Kerberos 5, by setting the libdefaults/encrypt
+             option in krb5.conf(5).
+
+     --ff, ----ffoorrwwaarrdd
+             Forward Kerberos 5 credentials to the remote host. Also con-
+             trolled by libdefaults/forward in krb5.conf(5).
+
+     --GG      The opposite of --ff.
+
+     --FF, ----ffoorrwwaarrddaabbllee
+             Make the forwarded credentials re-forwardable. Also controlled by
+             libdefaults/forwardable in krb5.conf(5).
+
+     --uu, ----uunniiqquuee
+             Make sure the remote credentials cache is unique, that is, don't
+
+
+             reuse any existing cache. Mutually exclusive to --UU.
+
+     --UU _s_t_r_i_n_g, ----ttkkffiillee==_s_t_r_i_n_g
+             Name of the remote credentials cache. Mutually exclusive to --uu.
+
+     --pp _n_u_m_b_e_r_-_o_r_-_s_e_r_v_i_c_e, ----ppoorrtt==_n_u_m_b_e_r_-_o_r_-_s_e_r_v_i_c_e
+             Connect to this port instead of the default (which is 514 when
+             using old port based authentication, 544 for Kerberos 5 and non-
+             encrypted Kerberos 4, and 545 for encrytpted Kerberos 4; subject
+             of course to the contents of _/_e_t_c_/_s_e_r_v_i_c_e_s).
+
+     --ll _s_t_r_i_n_g, ----uusseerr==_s_t_r_i_n_g
+             By default the remote username is the same as the local. The --ll
+             option or the _u_s_e_r_n_a_m_e_@_h_o_s_t format allow the remote name to be
+             specified.
+
+     --PP _N_|_O_|_1_|_2, ----pprroottooccooll==_N_|_O_|_1_|_2
+             Specifies which protocol version to use with Kerberos 5.  _N and _2
+             selects protocol version 2, while _O and _1 selects version 1. Ver-
+             sion 2 is believed to be more secure, and is the default. Unless
+             asked for a specific version, rrsshh will try both.  This behaviour
+             may change in the future.
+
+EEXXAAMMPPLLEESS
+     Care should be taken when issuing commands containing shell meta charac-
+     ters. Without quoting, these will be expanded on the local machine.
+
+     The following command:
+
+           rsh otherhost cat remotefile > localfile
+
+     will write the contents of the remote _r_e_m_o_t_e_f_i_l_e to the local _l_o_c_a_l_f_i_l_e,
+     but:
+
+           rsh otherhost 'cat remotefile > remotefile2'
+
+     will write it to the remote _r_e_m_o_t_e_f_i_l_e_2.
+
+FFIILLEESS
+     /etc/hosts
+
+SSEEEE AALLSSOO
+     rlogin(1),  krb_realmofhost(3),  krb_sendauth(3),  hosts.equiv(5),
+     krb5.conf(5),  rhosts(5),  kerberos(8) rshd(8)
+
+HHIISSTTOORRYY
+     The rrsshh command appeared in 4.2BSD.
+
+AAUUTTHHOORRSS
+     This implementation of rrsshh was written as part of the Heimdal Kerberos 5
+     implementation.
+
+BBUUGGSS
+     Some shells (notably csh(1))  will cause rrsshh to block if run in the back-
+     ground, unless the standard input is directed away from the terminal.
+     This is what the --nn option is for.
+
+     The --xx options enables encryption for the session, but for both Kerberos
+     4 and 5 the actual command is sent unencrypted, so you should not send
+     any secret information in the command line (which is probably a bad idea
+     anyway, since the command line can usually be read with tools like
+     ps(1)).  Forthermore in Kerberos 4 the command is not even integrity pro-
+     tected, so anyone with the right tools can modify the command.
+
+ HEIMDAL                       September 4, 2002                             2
diff --git a/kerberosV/src/appl/rsh/rshd.cat8 b/kerberosV/src/appl/rsh/rshd.cat8
new file mode 100644
index 00000000000..2b09091aadd
--- /dev/null
+++ b/kerberosV/src/appl/rsh/rshd.cat8
@@ -0,0 +1,79 @@
+
+RSHD(8)                  UNIX System Manager's Manual                  RSHD(8)
+
+NNAAMMEE
+     rrsshhdd - remote shell server
+
+SSYYNNOOPPSSIISS
+     rrsshhdd [--aaiikkllnnvvxxPPLL] [--pp _p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     rrsshhdd is the server for the rsh(1) program. It provides an authenticated
+     remote command execution service.  Supported options are:
+
+     --nn, ----nnoo--kkeeeeppaalliivvee
+             Disables keep-alive messages.  Keep-alives are packets sent at
+             certain intervals to make sure that the client is still there,
+             even when it doesn't send any data.
+
+     --kk, ----kkeerrbbeerrooss
+             Assume that clients connecting to this server will use some form
+             of Kerberos authentication. See the _E_X_A_M_P_L_E_S section for a sample
+             inetd.conf(5) configuration.
+
+     --xx, ----eennccrryypptt
+             For Kerberos 4 this means that the connections are encrypted.
+             Kerberos 5 can negotiate encryption even without this option, but
+             if it's present rrsshhdd will deny unencrypted connections. This op-
+             tion implies --kk.
+
+     --vv, ----vvaaccuuoouuss
+             If the connecting client does not use any Kerberised authentica-
+             tion, print a message that complains about this fact, and exit.
+             This is helpful if you want to move away from old port-based au-
+             thentication.
+
+     --PP      When using the AFS filesystem, users' authentication tokens are
+             put in something called a PAG (Process Authentication Group).
+             Multiple processes can share a PAG, but normally each login ses-
+             sion has its own PAG. This option disables the sseettppaagg() call, so
+             all tokens will be put in the default (uid-based) PAG, making it
+             possible to share tokens between sessions. This is only useful in
+             peculiar environments, such as some batch systems.
+
+     --ii, ----nnoo--iinneettdd
+             The --ii option will cause rrsshhdd to create a socket, instead of as-
+             suming that its stdin came from inetd(8).  This is mostly useful
+             for debugging.
+
+     --pp _p_o_r_t, ----ppoorrtt==_p_o_r_t
+             Port to use with --ii.
+
+     --aa      This flag is for backwards compatibility only.
+
+     --LL      This flag enables logging of connections to syslogd(8).  This op-
+             tion is always on in this implementation.
+
+FFIILLEESS
+     /etc/hosts.equiv
+     ~/.rhosts
+
+EEXXAAMMPPLLEESS
+     The following can be used to enable Kerberised rsh in inetd.cond(5),
+     while disabling non-Kerberised connections:
+
+     shell   stream  tcp  nowait  root  /usr/libexec/rshd  rshd -v
+     kshell  stream  tcp  nowait  root  /usr/libexec/rshd  rshd -k
+     ekshell stream  tcp  nowait  root  /usr/libexec/rshd  rshd -kx
+
+SSEEEE AALLSSOO
+     rsh(1),  iruserok(3)
+
+HHIISSTTOORRYY
+     The rrsshhdd command appeared in 4.2BSD.
+
+AAUUTTHHOORRSS
+     This implementation of rrsshhdd was written as part of the Heimdal Kerberos 5
+     implementation.
+
+ HEIMDAL                       November 22, 2002                             2
diff --git a/kerberosV/src/cf/destdirs.m4 b/kerberosV/src/cf/destdirs.m4
new file mode 100644
index 00000000000..ff1a4a9614f
--- /dev/null
+++ b/kerberosV/src/cf/destdirs.m4
@@ -0,0 +1,18 @@
+dnl
+dnl $KTH: destdirs.m4,v 1.2 2002/08/12 15:12:50 joda Exp $
+dnl
+
+AC_DEFUN([rk_DESTDIRS], [
+# This is done by AC_OUTPUT but we need the result here.
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+AC_FOREACH([rk_dir], [bin lib libexec localstate sbin sysconf], [
+	x="${rk_dir[]dir}"
+	eval y="$x"
+	while test "x$y" != "x$x"; do
+		x="$y"
+		eval y="$x"
+	done
+	AC_DEFINE_UNQUOTED(AS_TR_CPP(rk_dir[]dir), "$x", [path to ]rk_dir[])])
+])
diff --git a/kerberosV/src/cf/dlopen.m4 b/kerberosV/src/cf/dlopen.m4
new file mode 100644
index 00000000000..155c05ff385
--- /dev/null
+++ b/kerberosV/src/cf/dlopen.m4
@@ -0,0 +1,8 @@
+dnl
+dnl $KTH: dlopen.m4,v 1.1 2002/08/28 16:32:16 joda Exp $
+dnl
+
+AC_DEFUN([rk_DLOPEN], [
+	AC_FIND_FUNC_NO_LIBS(dlopen, dl)
+	AM_CONDITIONAL(HAVE_DLOPEN, test "$ac_cv_funclib_dlopen" != no)
+])
diff --git a/kerberosV/src/cf/irix.m4 b/kerberosV/src/cf/irix.m4
new file mode 100644
index 00000000000..c7e98538e43
--- /dev/null
+++ b/kerberosV/src/cf/irix.m4
@@ -0,0 +1,26 @@
+dnl
+dnl $KTH: irix.m4,v 1.1 2002/08/28 19:11:44 joda Exp $
+dnl
+
+AC_DEFUN([rk_IRIX],
+[
+irix=no
+case "$host" in
+*-*-irix4*) 
+	AC_DEFINE([IRIX4], 1,
+		[Define if you are running IRIX 4.])
+	irix=yes
+	;;
+*-*-irix*) 
+	irix=yes
+	;;
+esac
+AM_CONDITIONAL(IRIX, test "$irix" != no)dnl
+
+AH_BOTTOM([
+/* IRIX 4 braindamage */
+#if IRIX == 4 && !defined(__STDC__)
+#define __STDC__ 0
+#endif
+])
+])
diff --git a/kerberosV/src/cf/otp.m4 b/kerberosV/src/cf/otp.m4
new file mode 100644
index 00000000000..f3770beccb5
--- /dev/null
+++ b/kerberosV/src/cf/otp.m4
@@ -0,0 +1,27 @@
+dnl $KTH: otp.m4,v 1.2 2002/05/19 20:51:08 joda Exp $
+dnl
+dnl check requirements for OTP library
+dnl
+AC_DEFUN([rk_OTP],[
+AC_REQUIRE([rk_DB])dnl
+AC_ARG_ENABLE(otp,
+	AC_HELP_STRING([--disable-otp],[if you don't want OTP support]))
+if test "$enable_otp" = yes -a "$db_type" = unknown; then
+	AC_MSG_ERROR([OTP requires a NDBM/DB compatible library])
+fi
+if test "$enable_otp" != no; then
+	if test "$db_type" != unknown; then
+		enable_otp=yes
+	else
+		enable_otp=no
+	fi
+fi
+if test "$enable_otp" = yes; then
+	AC_DEFINE(OTP, 1, [Define if you want OTP support in applications.])
+	LIB_otp='$(top_builddir)/lib/otp/libotp.la'
+	AC_SUBST(LIB_otp)
+fi
+AC_MSG_CHECKING([whether to enable OTP library])
+AC_MSG_RESULT($enable_otp)
+AM_CONDITIONAL(OTP, test "$enable_otp" = yes)dnl
+])
diff --git a/kerberosV/src/cf/sunos.m4 b/kerberosV/src/cf/sunos.m4
new file mode 100644
index 00000000000..fa4dab87979
--- /dev/null
+++ b/kerberosV/src/cf/sunos.m4
@@ -0,0 +1,25 @@
+dnl
+dnl $KTH: sunos.m4,v 1.2 2002/10/16 14:42:13 joda Exp $
+dnl
+
+AC_DEFUN([rk_SUNOS],[
+sunos=no
+case "$host" in 
+*-*-sunos4*)
+	sunos=40
+	;;
+*-*-solaris2.7)
+	sunos=57
+	;;
+*-*-solaris2.[[89]])
+	sunos=58
+	;;
+*-*-solaris2*)
+	sunos=50
+	;;
+esac
+if test "$sunos" != no; then
+	AC_DEFINE_UNQUOTED(SunOS, $sunos, 
+		[Define to what version of SunOS you are running.])
+fi
+])
diff --git a/kerberosV/src/cf/telnet.m4 b/kerberosV/src/cf/telnet.m4
new file mode 100644
index 00000000000..428e499e666
--- /dev/null
+++ b/kerberosV/src/cf/telnet.m4
@@ -0,0 +1,78 @@
+dnl
+dnl $KTH: telnet.m4,v 1.1 2002/08/28 19:19:01 joda Exp $
+dnl
+dnl stuff used by telnet
+
+AC_DEFUN([rk_TELNET],[
+AC_DEFINE(AUTHENTICATION, 1, 
+	[Define if you want authentication support in telnet.])dnl
+AC_DEFINE(ENCRYPTION, 1,
+	[Define if you want encryption support in telnet.])dnl
+AC_DEFINE(DES_ENCRYPTION, 1,
+	[Define if you want to use DES encryption in telnet.])dnl
+AC_DEFINE(DIAGNOSTICS, 1,
+	[Define this to enable diagnostics in telnet.])dnl
+AC_DEFINE(OLD_ENVIRON, 1,
+	[Define this to enable old environment option in telnet.])dnl
+if false; then
+	AC_DEFINE(ENV_HACK, 1,
+		[Define this if you want support for broken ENV_{VAR,VAL} telnets.])
+fi
+
+# Simple test for streamspty, based on the existance of getmsg(), alas
+# this breaks on SunOS4 which have streams but BSD-like ptys
+#
+# And also something wierd has happend with dec-osf1, fallback to bsd-ptys
+
+case "$host" in
+*-*-aix3*|*-*-sunos4*|*-*-osf*|*-*-hpux1[[01]]*)
+	;;
+*)
+	AC_CHECK_FUNC(getmsg)
+	if test "$ac_cv_func_getmsg" = "yes"; then
+		AC_CACHE_CHECK([if getmsg works], ac_cv_func_getmsg_works,
+		AC_TRY_RUN([
+			#include <stdio.h>
+			#include <errno.h>
+
+			int main()
+			{
+			  int ret;
+			  ret = getmsg(open("/dev/null", 0), NULL, NULL, NULL);
+			  if(ret < 0 && errno == ENOSYS)
+			    return 1;
+			  return 0;
+			}
+			], ac_cv_func_getmsg_works=yes, 
+			ac_cv_func_getmsg_works=no,
+			ac_cv_func_getmsg_works=no))
+		if test "$ac_cv_func_getmsg_works" = "yes"; then
+			AC_DEFINE(HAVE_GETMSG, 1,
+				[Define if you have a working getmsg.])
+			AC_DEFINE(STREAMSPTY, 1,
+				[Define if you have streams ptys.])
+		fi
+	fi
+	;;
+esac
+
+AH_BOTTOM([
+#if defined(ENCRYPTION) && !defined(AUTHENTICATION)
+#define AUTHENTICATION 1
+#endif
+
+/* Set this to the default system lead string for telnetd 
+ * can contain %-escapes: %s=sysname, %m=machine, %r=os-release
+ * %v=os-version, %t=tty, %h=hostname, %d=date and time
+ */
+#undef USE_IM
+
+/* Used with login -p */
+#undef LOGIN_ARGS
+
+/* set this to a sensible login */
+#ifndef LOGIN_PATH
+#define LOGIN_PATH BINDIR "/login"
+#endif
+])
+])
diff --git a/kerberosV/src/compile b/kerberosV/src/compile
new file mode 100755
index 00000000000..a81e000ae1a
--- /dev/null
+++ b/kerberosV/src/compile
@@ -0,0 +1,136 @@
+#! /bin/sh
+# Wrapper for compilers which do not understand `-c -o'.
+
+scriptversion=2003-11-09.00
+
+# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-automake@gnu.org> or send patches to
+# <automake-patches@gnu.org>.
+
+case $1 in
+  '')
+     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: compile [--help] [--version] PROGRAM [ARGS]
+
+Wrapper for compilers which do not understand `-c -o'.
+Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
+arguments, and rename the output as expected.
+
+If you are trying to build a whole package this is not the
+right script to run: please start by reading the file `INSTALL'.
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit 0
+    ;;
+  -v | --v*)
+    echo "compile $scriptversion"
+    exit 0
+    ;;
+esac
+
+
+prog=$1
+shift
+
+ofile=
+cfile=
+args=
+while test $# -gt 0; do
+  case "$1" in
+    -o)
+      # configure might choose to run compile as `compile cc -o foo foo.c'.
+      # So we do something ugly here.
+      ofile=$2
+      shift
+      case "$ofile" in
+	*.o | *.obj)
+	  ;;
+	*)
+	  args="$args -o $ofile"
+	  ofile=
+	  ;;
+      esac
+       ;;
+    *.c)
+      cfile=$1
+      args="$args $1"
+      ;;
+    *)
+      args="$args $1"
+      ;;
+  esac
+  shift
+done
+
+if test -z "$ofile" || test -z "$cfile"; then
+  # If no `-o' option was seen then we might have been invoked from a
+  # pattern rule where we don't need one.  That is ok -- this is a
+  # normal compilation that the losing compiler can handle.  If no
+  # `.c' file was seen then we are probably linking.  That is also
+  # ok.
+  exec "$prog" $args
+fi
+
+# Name of file we expect compiler to create.
+cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+
+# Create the lock directory.
+# Note: use `[/.-]' here to ensure that we don't use the same name
+# that we are using for the .o file.  Also, base the name on the expected
+# object file name, since that is what matters with a parallel build.
+lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d
+while true; do
+  if mkdir $lockdir > /dev/null 2>&1; then
+    break
+  fi
+  sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir $lockdir; exit 1" 1 2 15
+
+# Run the compile.
+"$prog" $args
+status=$?
+
+if test -f "$cofile"; then
+  mv "$cofile" "$ofile"
+fi
+
+rmdir $lockdir
+exit $status
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/kerberosV/src/config.sub b/kerberosV/src/config.sub
index 42fc991d08a..264f820aa55 100644
--- a/kerberosV/src/config.sub
+++ b/kerberosV/src/config.sub
@@ -1,9 +1,9 @@
 #! /bin/sh
-# Configuration validation subroutine script, version 1.1.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
-#   Free Software Foundation, Inc.
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
 
-version='2000-09-11'
+timestamp='2004-02-23'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -29,7 +29,8 @@ version='2000-09-11'
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 
-# Please send patches to <config-patches@gnu.org>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
 #
 # Configuration subroutine to validate and canonicalize a configuration type.
 # Supply the specified configuration type as an argument.
@@ -60,16 +61,30 @@ Usage: $0 [OPTION] CPU-MFR-OPSYS
 Canonicalize a configuration name.
 
 Operation modes:
-  -h, --help               print this help, then exit
-  -V, --version            print version number, then exit"
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
 
 help="
 Try \`$me --help' for more information."
 
 # Parse command line
 while test $# -gt 0 ; do
-  case "$1" in
-    --version | --vers* | -V )
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit 0 ;;
+    --version | -v )
        echo "$version" ; exit 0 ;;
     --help | --h* | -h )
        echo "$usage"; exit 0 ;;
@@ -78,9 +93,7 @@ while test $# -gt 0 ; do
     - )	# Use stdin as input.
        break ;;
     -* )
-       exec >&2
-       echo "$me: invalid option $1"
-       echo "$help"
+       echo "$me: invalid option $1$help"
        exit 1 ;;
 
     *local*)
@@ -105,7 +118,8 @@ esac
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  nto-qnx* | linux-gnu*)
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
+  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
@@ -145,6 +159,14 @@ case $os in
 		os=-vxworks
 		basic_machine=$1
 		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
 	-hiux*)
 		os=-hiuxwe2
 		;;
@@ -203,22 +225,50 @@ esac
 case $basic_machine in
 	# Recognize the basic CPU types without company name.
 	# Some are omitted here because they have special meanings below.
-	tahoe | i860 | ia64 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
-		| arme[lb] | armv[2345] | armv[345][lb] | pyramid | mn10200 | mn10300 | tron | a29k \
-		| 580 | i960 | h8300 \
-		| x86 | ppcbe | mipsbe | mipsle | shbe | shle | armbe | armle \
-		| hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \
-		| hppa64 \
-		| alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \
-		| alphaev6[78] \
-		| we32k | ns16k | clipper | i370 | sh | sh[34] \
-		| powerpc | powerpcle \
-		| 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \
-		| mips64orion | mips64orionel | mipstx39 | mipstx39el \
-		| mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \
-		| mips64vr5000 | miprs64vr5000el | mcore \
-		| sparc | sparclet | sparclite | sparc64 | sparcv9 | v850 | c4x \
-		| thumb | d10v | d30v | fr30 | avr)
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32r | m68000 | m68k | m88k | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| msp430 \
+	| ns16k | ns32k \
+	| openrisc | or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
+	| strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xstormy16 | xtensa \
+	| z8k)
 		basic_machine=$basic_machine-unknown
 		;;
 	m6811 | m68hc11 | m6812 | m68hc12)
@@ -226,13 +276,13 @@ case $basic_machine in
 		basic_machine=$basic_machine-unknown
 		os=-none
 		;;
-	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | z8k | v70 | h8500 | w65 | pj | pjl)
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
 		;;
 
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
 	# (2) the word "unknown" tends to confuse beginning users.
-	i[234567]86 | x86_64)
+	i*86 | x86_64)
 	  basic_machine=$basic_machine-pc
 	  ;;
 	# Object if more than one company name word.
@@ -241,28 +291,61 @@ case $basic_machine in
 		exit 1
 		;;
 	# Recognize the basic CPU types with company name.
-	# FIXME: clean up the formatting here.
-	vax-* | tahoe-* | i[234567]86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
-	      | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \
-	      | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
-	      | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
-	      | xmp-* | ymp-* \
-	      | x86-* | ppcbe-* | mipsbe-* | mipsle-* | shbe-* | shle-* | armbe-* | armle-* \
-	      | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* \
-	      | hppa2.0n-* | hppa64-* \
-	      | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \
-	      | alphaev6[78]-* \
-	      | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \
-	      | clipper-* | orion-* \
-	      | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
-	      | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \
-	      | mips64el-* | mips64orion-* | mips64orionel-* \
-	      | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \
-	      | mipstx39-* | mipstx39el-* | mcore-* \
-	      | f301-* | armv*-* | s390-* | sv1-* | t3e-* \
-	      | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \
-	      | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* \
-	      | bs2000-* | tic54x-* | c54x-* | x86_64-*)
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* \
+	| bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32r-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| msp430-* \
+	| none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
+	| sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
+	| xtensa-* \
+	| ymp-* \
+	| z8k-*)
 		;;
 	# Recognize the various machine names and aliases which stand
 	# for a CPU type and a company and sometimes even an OS.
@@ -280,6 +363,9 @@ case $basic_machine in
 		basic_machine=a29k-amd
 		os=-udi
 		;;
+    	abacus)
+		basic_machine=abacus-unknown
+		;;
 	adobe68k)
 		basic_machine=m68010-adobe
 		os=-scout
@@ -294,6 +380,12 @@ case $basic_machine in
 		basic_machine=a29k-none
 		os=-bsd
 		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	amdahl)
 		basic_machine=580-amdahl
 		os=-sysv
@@ -325,6 +417,10 @@ case $basic_machine in
 		basic_machine=ns32k-sequent
 		os=-dynix
 		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
 	convex-c1)
 		basic_machine=c1-convex
 		os=-bsd
@@ -345,17 +441,13 @@ case $basic_machine in
 		basic_machine=c38-convex
 		os=-bsd
 		;;
-	cray | ymp)
-		basic_machine=ymp-cray
-		os=-unicos
-		;;
-	cray2)
-		basic_machine=cray2-cray
+	cray | j90)
+		basic_machine=j90-cray
 		os=-unicos
 		;;
-	[ctj]90-cray)
-		basic_machine=c90-cray
-		os=-unicos
+	cr16c)
+		basic_machine=cr16c-unknown
+		os=-elf
 		;;
 	crds | unos)
 		basic_machine=m68k-crds
@@ -363,12 +455,24 @@ case $basic_machine in
 	cris | cris-* | etrax*)
 		basic_machine=cris-axis
 		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
 	da30 | da30-*)
 		basic_machine=m68k-da30
 		;;
 	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
 		basic_machine=mips-dec
 		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
 	delta | 3300 | motorola-3300 | motorola-delta \
 	      | 3300-motorola | delta-motorola)
 		basic_machine=m68k-motorola
@@ -410,6 +514,10 @@ case $basic_machine in
 		basic_machine=tron-gmicro
 		os=-sysv
 		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
 	h3050r* | hiux*)
 		basic_machine=hppa1.1-hitachi
 		os=-hiuxwe2
@@ -485,19 +593,19 @@ case $basic_machine in
 		basic_machine=i370-ibm
 		;;
 # I'm not sure what "Sysv32" means.  Should this be sysv3.2?
-	i[34567]86v32)
+	i*86v32)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-sysv32
 		;;
-	i[34567]86v4*)
+	i*86v4*)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-sysv4
 		;;
-	i[34567]86v)
+	i*86v)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-sysv
 		;;
-	i[34567]86sol2)
+	i*86sol2)
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-solaris2
 		;;
@@ -509,18 +617,6 @@ case $basic_machine in
 		basic_machine=i386-unknown
 		os=-vsta
 		;;
-	i386-go32 | go32)
-		basic_machine=i386-unknown
-		os=-go32
-		;;
-	i386-mingw32 | mingw32)
-		basic_machine=i386-unknown
-		os=-mingw32
-		;;
-	i[34567]86-pw32 | pw32)
-		basic_machine=i586-unknown
-		os=-pw32
-		;;
 	iris | iris4d)
 		basic_machine=mips-sgi
 		case $os in
@@ -546,6 +642,10 @@ case $basic_machine in
 		basic_machine=ns32k-utek
 		os=-sysv
 		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
 	miniframe)
 		basic_machine=m68000-convergent
 		;;
@@ -553,14 +653,6 @@ case $basic_machine in
 		basic_machine=m68k-atari
 		os=-mint
 		;;
-	mipsel*-linux*)
-		basic_machine=mipsel-unknown
-		os=-linux-gnu
-		;;
-	mips*-linux*)
-		basic_machine=mips-unknown
-		os=-linux-gnu
-		;;
 	mips3*-*)
 		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
 		;;
@@ -575,8 +667,12 @@ case $basic_machine in
 		basic_machine=m68k-rom68k
 		os=-coff
 		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
 	msdos)
-		basic_machine=i386-unknown
+		basic_machine=i386-pc
 		os=-msdos
 		;;
 	mvs)
@@ -640,9 +736,17 @@ case $basic_machine in
 		basic_machine=i960-intel
 		os=-mon960
 		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
 	np1)
 		basic_machine=np1-gould
 		;;
+	nv1)
+		basic_machine=nv1-cray
+		os=-unicosmp
+		;;
 	nsr-tandem)
 		basic_machine=nsr-tandem
 		;;
@@ -650,6 +754,14 @@ case $basic_machine in
 		basic_machine=hppa1.1-oki
 		os=-proelf
 		;;
+	or32 | or32-*)
+		basic_machine=or32-unknown
+		os=-coff
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
 	OSE68000 | ose68000)
 		basic_machine=m68000-ericsson
 		os=-ose
@@ -672,45 +784,65 @@ case $basic_machine in
 	pbb)
 		basic_machine=m68k-tti
 		;;
-        pc532 | pc532-*)
+	pc532 | pc532-*)
 		basic_machine=ns32k-pc532
 		;;
-	pentium | p5 | k5 | k6 | nexen)
+	pentium | p5 | k5 | k6 | nexgen | viac3)
 		basic_machine=i586-pc
 		;;
-	pentiumpro | p6 | 6x86 | athlon)
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
 		basic_machine=i686-pc
 		;;
-	pentiumii | pentium2)
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
 		basic_machine=i786-pc
 		;;
-	pentium-* | p5-* | k5-* | k6-* | nexen-*)
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
 		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	pentiumpro-* | p6-* | 6x86-* | athlon-*)
 		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
-	pentiumii-* | pentium2-*)
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
 		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	pn)
 		basic_machine=pn-gould
 		;;
-	power)	basic_machine=rs6000-ibm
+	power)	basic_machine=power-ibm
 		;;
 	ppc)	basic_machine=powerpc-unknown
-	        ;;
+		;;
 	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	ppcle | powerpclittle | ppc-le | powerpc-little)
 		basic_machine=powerpcle-unknown
-	        ;;
+		;;
 	ppcle-* | powerpclittle-*)
 		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
 	ps2)
 		basic_machine=i386-ibm
 		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
 	rom68k)
 		basic_machine=m68k-rom68k
 		os=-coff
@@ -721,10 +853,26 @@ case $basic_machine in
 	rtpc | rtpc-*)
 		basic_machine=romp-ibm
 		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
 	sa29200)
 		basic_machine=a29k-amd
 		os=-udi
 		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
 	sequent)
 		basic_machine=i386-sequent
 		;;
@@ -732,7 +880,10 @@ case $basic_machine in
 		basic_machine=sh-hitachi
 		os=-hms
 		;;
-	sparclite-wrs)
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
 		basic_machine=sparclite-wrs
 		os=-vxworks
 		;;
@@ -799,22 +950,42 @@ case $basic_machine in
 		os=-dynix
 		;;
 	t3e)
-		basic_machine=t3e-cray
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
 		os=-unicos
 		;;
 	tic54x | c54x*)
 		basic_machine=tic54x-unknown
 		os=-coff
 		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
 	tx39)
 		basic_machine=mipstx39-unknown
 		;;
 	tx39el)
 		basic_machine=mipstx39el-unknown
 		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
 	tower | tower-32)
 		basic_machine=m68k-ncr
 		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
 	udi29k)
 		basic_machine=a29k-amd
 		os=-udi
@@ -836,8 +1007,8 @@ case $basic_machine in
 		os=-vms
 		;;
 	vpp*|vx|vx-*)
-               basic_machine=f301-fujitsu
-               ;;
+		basic_machine=f301-fujitsu
+		;;
 	vxworks960)
 		basic_machine=i960-wrs
 		os=-vxworks
@@ -858,13 +1029,13 @@ case $basic_machine in
 		basic_machine=hppa1.1-winbond
 		os=-proelf
 		;;
-	xmp)
-		basic_machine=xmp-cray
-		os=-unicos
-		;;
-        xps | xps100)
+	xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
 	z8k-*-coff)
 		basic_machine=z8k-unknown
 		os=-sim
@@ -885,13 +1056,6 @@ case $basic_machine in
 	op60c)
 		basic_machine=hppa1.1-oki
 		;;
-	mips)
-		if [ x$os = x-linux-gnu ]; then
-			basic_machine=mips-unknown
-		else
-			basic_machine=mips-mips
-		fi
-		;;
 	romp)
 		basic_machine=romp-ibm
 		;;
@@ -901,19 +1065,26 @@ case $basic_machine in
 	vax)
 		basic_machine=vax-dec
 		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
 	pdp11)
 		basic_machine=pdp11-dec
 		;;
 	we32k)
 		basic_machine=we32k-att
 		;;
-	sh3 | sh4)
-		base_machine=sh-unknown
+	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
 		;;
-	sparc | sparcv9)
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparc | sparcv9 | sparcv9b)
 		basic_machine=sparc-sun
 		;;
-        cydra)
+	cydra)
 		basic_machine=cydra-cydrome
 		;;
 	orion)
@@ -928,9 +1099,8 @@ case $basic_machine in
 	pmac | pmac-mpw)
 		basic_machine=powerpc-apple
 		;;
-	c4x*)
-		basic_machine=c4x-none
-		os=-coff
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
 		;;
 	*)
 		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
@@ -984,27 +1154,35 @@ case $os in
 	      | -aos* \
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
-	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
 	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
-	      | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \
-	      | -openstep* | -oskit* | -conix* | -pw32*)
+	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
 		case $basic_machine in
-		    x86-* | i[34567]86-*)
+		    x86-* | i*86-*)
 			;;
 		    *)
 			os=-nto$os
 			;;
 		esac
 		;;
+	-nto-qnx*)
+		;;
 	-nto*)
-		os=-nto-qnx
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
 		;;
 	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
 	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
@@ -1013,6 +1191,9 @@ case $os in
 	-mac*)
 		os=`echo $os | sed -e 's|mac|macos|'`
 		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
 	-linux*)
 		os=`echo $os | sed -e 's|linux|linux-gnu|'`
 		;;
@@ -1025,6 +1206,9 @@ case $os in
 	-opened*)
 		os=-openedition
 		;;
+        -os400*)
+		os=-os400
+		;;
 	-wince*)
 		os=-wince
 		;;
@@ -1043,14 +1227,23 @@ case $os in
 	-acis*)
 		os=-aos
 		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
 	-386bsd)
 		os=-bsd
 		;;
 	-ctix* | -uts*)
 		os=-sysv
 		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
 	-ns2 )
-	        os=-nextstep2
+		os=-nextstep2
 		;;
 	-nsk*)
 		os=-nsk
@@ -1062,6 +1255,9 @@ case $os in
 	-sinix*)
 		os=-sysv4
 		;;
+        -tpf*)
+		os=-tpf
+		;;
 	-triton*)
 		os=-sysv3
 		;;
@@ -1089,8 +1285,14 @@ case $os in
 	-xenix)
 		os=-xenix
 		;;
-        -*mint | -*MiNT)
-	        os=-mint
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
 		;;
 	-none)
 		;;
@@ -1123,7 +1325,14 @@ case $basic_machine in
 	arm*-semi)
 		os=-aout
 		;;
-        pdp11-*)
+    c4x-* | tic4x-*)
+        os=-coff
+        ;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
 		os=-none
 		;;
 	*-dec | vax-*)
@@ -1150,6 +1359,9 @@ case $basic_machine in
 	mips*-*)
 		os=-elf
 		;;
+	or32-*)
+		os=-coff
+		;;
 	*-tti)	# must be before sparc entry or we get the wrong os.
 		os=-sysv3
 		;;
@@ -1213,25 +1425,25 @@ case $basic_machine in
 	*-next)
 		os=-nextstep3
 		;;
-        *-gould)
+	*-gould)
 		os=-sysv
 		;;
-        *-highlevel)
+	*-highlevel)
 		os=-bsd
 		;;
 	*-encore)
 		os=-bsd
 		;;
-        *-sgi)
+	*-sgi)
 		os=-irix
 		;;
-        *-siemens)
+	*-siemens)
 		os=-sysv4
 		;;
 	*-masscomp)
 		os=-rtu
 		;;
-	f301-fujitsu)
+	f30[01]-fujitsu | f700-fujitsu)
 		os=-uxpv
 		;;
 	*-rom68k)
@@ -1294,10 +1506,16 @@ case $basic_machine in
 			-mvs* | -opened*)
 				vendor=ibm
 				;;
+			-os400*)
+				vendor=ibm
+				;;
 			-ptx*)
 				vendor=sequent
 				;;
-			-vxsim* | -vxworks*)
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
 				vendor=wrs
 				;;
 			-aux*)
@@ -1309,9 +1527,12 @@ case $basic_machine in
 			-mpw* | -macos*)
 				vendor=apple
 				;;
-			-*mint | -*MiNT)
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
 				vendor=atari
 				;;
+			-vos*)
+				vendor=stratus
+				;;
 		esac
 		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
 		;;
@@ -1322,7 +1543,7 @@ exit 0
 
 # Local variables:
 # eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "version='"
+# time-stamp-start: "timestamp='"
 # time-stamp-format: "%:y-%02m-%02d"
 # time-stamp-end: "'"
 # End:
diff --git a/kerberosV/src/doc/ack.texi b/kerberosV/src/doc/ack.texi
index 1fa181f7248..3e42c3f8c3c 100644
--- a/kerberosV/src/doc/ack.texi
+++ b/kerberosV/src/doc/ack.texi
@@ -1,4 +1,4 @@
-@c $KTH: ack.texi,v 1.16 2003/03/15 14:21:41 lha Exp $
+@c $KTH: ack.texi,v 1.16.2.1 2003/09/18 20:46:05 lha Exp $
 
 @node  Acknowledgments, , Migration, Top
 @comment  node-name,  next,  previous,  up
@@ -39,7 +39,7 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
 @item Marc Horowitz
 @email{marc@@cygnus.com}
 @item Luke Howard
-@email{lukeh@@xedoc.com.au}
+@email{lukeh@@PADL.COM}
 @item Brandon S. Allbery KF8NH
 @email{allbery@@kf8nh.apk.net}
 @item Jun-ichiro itojun Hagino
diff --git a/kerberosV/src/doc/heimdal.info b/kerberosV/src/doc/heimdal.info
index 9285e9b58cb..54337fca33f 100644
--- a/kerberosV/src/doc/heimdal.info
+++ b/kerberosV/src/doc/heimdal.info
@@ -1,5 +1,5 @@
-This is heimdal.info, produced by makeinfo version 4.0 from
-heimdal.texi.
+This is Info file heimdal.info, produced by Makeinfo version 1.68 from
+the input file heimdal.texi.
 
 INFO-DIR-SECTION Heimdal
 START-INFO-DIR-ENTRY
@@ -8,46 +8,47 @@ END-INFO-DIR-ENTRY
 
 
 Indirect:
-heimdal.info-1: 210
-heimdal.info-2: 47804
+heimdal.info-1: 236
+heimdal.info-2: 48957
 
 Tag Table:
 (Indirect)
-Node: Top210
-Node: Introduction565
-Node: What is Kerberos?3443
-Node: Building and Installing8517
-Node: Setting up a realm12129
-Node: Configuration file12826
-Node: Creating the database15516
-Node: keytabs18019
-Node: Serving Kerberos 4/524/kaserver18863
-Node: Remote administration20311
-Node: Password changing22237
-Node: Testing clients and servers24046
-Node: Slave Servers24366
-Node: Incremental propagation25999
-Node: Salting28527
-Node: Things in search for a better place30241
-Node: Kerberos 4 issues35253
-Node: Principal conversion issues35755
-Ref: Principal conversion issues-Footnote-137978
-Ref: Principal conversion issues-Footnote-238046
-Node: Converting a version 4 database38099
-Node: kaserver43127
-Node: Windows 2000 compatability44866
-Node: Configuring Windows 2000 to use a Heimdal KDC46052
-Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC47804
-Node: Create account mappings50252
-Node: Encryption types50842
-Node: Authorization data51583
-Node: Quirks of Windows 2000 KDC52727
-Node: Useful links when reading about the Windows 200053968
-Node: Programming with Kerberos56002
-Node: Kerberos 5 API Overview56415
-Node: Walkthru a sample Kerberos 5 client57969
-Node: Validating a password in a server application65785
-Node: Migration66066
-Node: Acknowledgments67320
+Node: Top236
+Node: Introduction591
+Node: What is Kerberos?3469
+Node: Building and Installing8542
+Node: Setting up a realm12154
+Node: Configuration file12905
+Node: Creating the database15662
+Node: keytabs18261
+Node: Serving Kerberos 4/524/kaserver19105
+Node: Remote administration20553
+Node: Password changing22489
+Node: Testing clients and servers24298
+Node: Slave Servers24618
+Node: Incremental propagation26366
+Node: Salting28894
+Node: Cross realm30628
+Node: Transit policy33178
+Node: Setting up DNS34421
+Node: Things in search for a better place36071
+Node: Kerberos 4 issues41083
+Node: Principal conversion issues41585
+Node: Converting a version 4 database43929
+Node: kaserver48957
+Node: Windows 2000 compatability50696
+Node: Configuring Windows 2000 to use a Heimdal KDC51882
+Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC53634
+Node: Create account mappings56082
+Node: Encryption types56672
+Node: Authorization data57413
+Node: Quirks of Windows 2000 KDC58557
+Node: Useful links when reading about the Windows 200059799
+Node: Programming with Kerberos61871
+Node: Kerberos 5 API Overview62285
+Node: Walkthru a sample Kerberos 5 client63839
+Node: Validating a password in a server application71655
+Node: Migration71936
+Node: Acknowledgments73189
 
 End Tag Table
diff --git a/kerberosV/src/doc/heimdal.info-1 b/kerberosV/src/doc/heimdal.info-1
index c9ea6a4637b..9650a80a908 100644
--- a/kerberosV/src/doc/heimdal.info-1
+++ b/kerberosV/src/doc/heimdal.info-1
@@ -1,5 +1,5 @@
-This is heimdal.info, produced by makeinfo version 4.0 from
-heimdal.texi.
+This is Info file heimdal.info, produced by Makeinfo version 1.68 from
+the input file heimdal.texi.
 
 INFO-DIR-SECTION Heimdal
 START-INFO-DIR-ENTRY
@@ -123,7 +123,7 @@ Heimdal source code, binaries and the manual
 
 The source code for heimdal, links to binaries and the manual (this
 document) can be found on our web-page at
-<http://www.pdc.kth.se/heimdal/>.
+`http://www.pdc.kth.se/heimdal/'.
 
 
 File: heimdal.info,  Node: What is Kerberos?,  Next: Building and Installing,  Prev: Introduction,  Up: Top
@@ -178,7 +178,6 @@ time, the lifetime of the ticket, and the session key, all encrypted in
 A's secret key ({B, T<ISSUE>, LIFE, K<AB>, T<AB>}K<A>). A decrypts the
 reply and retains it for later use.
 
-
 Before sending a message to B, A creates an authenticator consisting of
 A's name, A's address, the current time, and a "checksum" chosen by A,
 all encrypted with the secret session key ({A, A<ADDR>, T<CURRENT>,
@@ -242,7 +241,7 @@ Authentication System: a Dialogue in Four Scenes' by Bill Bryant, also
 from 1988.
 
 These documents can be found on our web-page at
-<http://www.pdc.kth.se/kth-krb/>.
+`http://www.pdc.kth.se/kth-krb/'.
 
 
 File: heimdal.info,  Node: Building and Installing,  Next: Setting up a realm,  Prev: What is Kerberos?,  Up: Top
@@ -325,8 +324,8 @@ following options:
 
 `--with-openldap'
      Compile Heimdal with support for storing the database in LDAP.
-     Requires OpenLDAP <http://www.openldap.org>.  See
-     <http://www.padl.com/~lukeh/heimdal/> for more information.
+     Requires OpenLDAP `http://www.openldap.org'.  See
+     `http://www.padl.com/~lukeh/heimdal/' for more information.
 
 `--enable-bigendian'
 
@@ -364,6 +363,9 @@ Setting up a realm
 * Slave Servers::
 * Incremental propagation::
 * Salting::
+* Cross realm::
+* Transit policy::
+* Setting up DNS::
 
 A realm is an administrative domain.  The name of a Kerberos realm is
 usually the Internet domain name in uppercase.  Call your realm the same
@@ -407,12 +409,12 @@ In this manual, names of sections and bindings will be given as strings
 separated by slashes (`/'). The `other-var' variable will thus be
 `section1/a-subsection/other-var'.
 
-For in-depth information about the contents of the config file, refer to
-the `krb5.conf' manual page. Some of the more important sections are
-briefly described here.
+For in-depth information about the contents of the configuration file,
+refer to the `krb5.conf' manual page. Some of the more important
+sections are briefly described here.
 
 The `libdefaults' section contains a list of library configuration
-parameters, such as the default realm and the timeout for kdc
+parameters, such as the default realm and the timeout for KDC
 responses. The `realms' section contains information about specific
 realms, such as where they hide their KDC. This section serves the same
 purpose as the Kerberos 4 `krb.conf' file, but can contain more
@@ -420,21 +422,22 @@ information. Finally the `domain_realm' section contains a list of
 mappings from domains to realms, equivalent to the Kerberos 4
 `krb.realms' file.
 
-To continue with the realm setup, you will have to create a config file,
-with contents similar to the following.
+To continue with the realm setup, you will have to create a
+configuration file, with contents similar to the following.
 
      [libdefaults]
              default_realm = MY.REALM
      [realms]
              MY.REALM = {
-                     kdc = my.kdc
+                     kdc = my.kdc my.slave.kdc
+                     kdc = my.third.kdc
              }
      [domain_realm]
              .my.domain = MY.REALM
 
 If you use a realm name equal to your domain name, you can omit the
 `libdefaults', and `domain_realm', sections. If you have a SRV-record
-for your realm, or your kerberos server has CNAME called
+for your realm, or your Kerberos server has CNAME called
 `kerberos.my.realm', you can omit the `realms' section too.
 
 
@@ -443,8 +446,11 @@ File: heimdal.info,  Node: Creating the database,  Next: keytabs,  Prev: Configu
 Creating the database
 =====================
 
-The database library will look for the database in `/var/heimdal', so
-you should probably create that directory.
+The database library will look for the database in the directory
+`/var/heimdal', so you should probably create that directory.  Make
+sure the directory have restrictive permissions.
+
+     # mkdir /var/heimdal
 
 The keys of all the principals are stored in the database.  If you
 choose to, these can be encrypted with a master key.  You do not have to
@@ -535,12 +541,12 @@ Serving Kerberos 4/524/kaserver
 
 Heimdal can be configured to support 524, Kerberos 4 or kaserver. All
 theses services are default turned off. Kerberos 4 support also depends
-on if Kerberos 4 support is compiled in with heimdal.
+on if Kerberos 4 support is compiled in with Heimdal.
 
 524
 ---
 
-524 is a service that allows the kdc to convert Kerberos 5 tickets to
+524 is a service that allows the KDC to convert Kerberos 5 tickets to
 Kerberos 4 tickets for backward compatibility. See also Using 2b tokens
 with AFS in *Note Things in search for a better place::.
 
@@ -565,7 +571,7 @@ kaserver
 --------
 
 Kaserver is a Kerberos 4 that is used in AFS, the protocol have some
-features over plain Kerberos 4, but like kerberos 4 only use single DES
+features over plain Kerberos 4, but like Kerberos 4 only use single DES
 too.
 
 You should only enable Kerberos 4 support if you have a need for for
@@ -591,9 +597,9 @@ from `inetd' you should add a line similar to the one below to your
 
 You might need to add `kerberos-adm' to your `/etc/services' as 749/tcp.
 
-Access to the admin server is controlled by an acl-file, (default
-`/var/heimdal/kadmind.acl'.) The lines in the access file, has the
-following syntax:
+Access to the administration server is controlled by an acl-file,
+(default `/var/heimdal/kadmind.acl'.) The lines in the access file, has
+the following syntax:
      principal       [priv1,priv2,...]       [glob-pattern]
 
 The matching is from top to bottom for matching principal (and if given,
@@ -608,11 +614,11 @@ corresponds to the different commands in `kadmin'.
 If a GLOB-PATTERN is given on a line, it restricts the right for the
 principal to only apply for the subjects that match the pattern.  The
 patters are of the same type as those used in shell globbing, see
-<none,,fnmatch(3)>.
+`none,,fnmatch(3)'.
 
 In the example below `lha/admin' can change every principal in the
 database. `jimmy/admin' can only modify principals that belong to the
-realm `E.KTH.SE'. `mille/admin' is working at the helpdesk, so he
+realm `E.KTH.SE'. `mille/admin' is working at the help desk, so he
 should only be able to change the passwords for single component
 principals (ordinary users). He will not be able to change any `/admin'
 principal.
@@ -662,7 +668,7 @@ Code for a password quality checking function that uses the cracklib
 library can be found in `lib/kadm5/sample_password_check.c' in the
 source code distribution.  It requires the cracklib library built with
 the patch available at
-<ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch>.
+`ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch'.
 
 If no password quality checking function is configured, it is only
 verified that it is at least six characters of length.
@@ -691,10 +697,13 @@ they present the same service to all the users.  The `hprop' program,
 running on the master, will propagate the database to the slaves,
 running `hpropd' processes.
 
-Every slave needs a keytab with a principal, `hprop/HOSTNAME'.  Add
-that with the `ktutil' command and start `propd', as follows:
+Every slave needs a database directory, the master key (if it was used
+for the database) and a keytab with the principal `hprop/HOSTNAME'.
+Add the principal with the `ktutil' command and start `propd', as
+follows:
 
      slave# ktutil get -p foo/admin hprop/`hostname`
+     slave# mkdir /var/heimdal
      slave# hpropd
 
 The master will use the principal `kadmin/hprop' to authenticate to the
@@ -769,7 +778,7 @@ this signal.  Then, start `ipropd-slave' on all the slaves:
      slave#  /usr/heimdal/libexec/ipropd-slave master &
 
 
-File: heimdal.info,  Node: Salting,  Prev: Incremental propagation,  Up: Setting up a realm
+File: heimdal.info,  Node: Salting,  Next: Cross realm,  Prev: Incremental propagation,  Up: Setting up a realm
 
 Salting
 =======
@@ -797,7 +806,7 @@ The syntax of `[kadmin]default_keys' is
 `[etype:]salt-type[:salt-string]'. `etype' is the encryption type (des,
 des3, arcfour), `salt-type' is the type of salt (pw-salt or afs3-salt),
 and the salt-string is the string that will be used as salt (remember
-that if the salt is appened/prepended, the empty salt "" is the same
+that if the salt is appended/prepended, the empty salt "" is the same
 thing as no salt at all).
 
 Common types of salting includes
@@ -817,6 +826,141 @@ Common types of salting includes
      `afs3-salt' is the salting that is used with Transarc kaserver. Its
      the cell appended to the password.
 
+
+File: heimdal.info,  Node: Cross realm,  Next: Transit policy,  Prev: Salting,  Up: Setting up a realm
+
+Cross realm
+===========
+
+Suppose you are residing in the realm `MY.REALM', how do you
+authenticate to a server in `OTHER.REALM'? Having valid tickets in
+`MY.REALM' allows you to communicate with kerberised services in that
+realm. However, the computer in the other realm does not have a secret
+key shared with the Kerberos server in your realm.
+
+It is possible to add a share keys between two realms that trust each
+other. When a client program, such as `telnet' or `ssh', finds that the
+other computer is in a different realm, it will try to get a ticket
+granting ticket for that other realm, but from the local Kerberos
+server. With that ticket granting ticket, it will then obtain service
+tickets from the Kerberos server in the other realm.
+
+For a two way trust between `MY.REALM' and `OTHER.REALM' add the
+following principals to each realm. The principals should be
+`krbtgt/OTHER.REALM@MY.REALM' and `krbtgt/MY.REALM@OTHER.REALM' in
+`MY.REALM', and `krbtgt/MY.REALM@OTHER.REALM' and
+`krbtgt/OTHER.REALM@MY.REALM'in `OTHER.REALM'.
+
+In Kerberos 5 the trust can be one configured to be one way. So that
+users from `MY.REALM' can authenticate to services in `OTHER.REALM',
+but not the opposite. In the example above, the
+`krbtgt/MY.REALM@OTHER.REALM' then should be removed.
+
+The two principals must have the same key, key version number, and the
+same set of encryption types. Remember to transfer the two keys in a
+safe manner.
+
+     vr$ klist
+     Credentials cache: FILE:/tmp/krb5cc_913.console
+             Principal: lha@E.KTH.SE
+     
+       Issued           Expires          Principal
+     May  3 13:55:52  May  3 23:55:54  krbtgt/E.KTH.SE@E.KTH.SE
+     
+     vr$ telnet -l lha hummel.it.su.se
+     Trying 2001:6b0:5:1095:250:fcff:fe24:dbf...
+     Connected to hummel.it.su.se.
+     Escape character is '^]'.
+     Waiting for encryption to be negotiated...
+     [ Trying mutual KERBEROS5 (host/hummel.it.su.se@SU.SE)... ]
+     [ Kerberos V5 accepts you as ``lha@E.KTH.SE'' ]
+     Encryption negotiated.
+     Last login: Sat May  3 14:11:47 from vr.l.nxs.se
+     hummel$ exit
+     
+     vr$ klist
+     Credentials cache: FILE:/tmp/krb5cc_913.console
+             Principal: lha@E.KTH.SE
+     
+       Issued           Expires          Principal
+     May  3 13:55:52  May  3 23:55:54  krbtgt/E.KTH.SE@E.KTH.SE
+     May  3 13:55:56  May  3 23:55:54  krbtgt/SU.SE@E.KTH.SE
+     May  3 14:10:54  May  3 23:55:54  host/hummel.it.su.se@SU.SE
+
+
+File: heimdal.info,  Node: Transit policy,  Next: Setting up DNS,  Prev: Cross realm,  Up: Setting up a realm
+
+Transit policy
+==============
+
+If you want to use cross realm authentication through an intermediate
+realm it must be explicitly allowed by either the KDCs or the server
+receiving the request. This is done in `krb5.conf' in the `[capaths]'
+section.
+
+When the ticket transits through a realm to another realm, the
+destination realm adds its peer to the "transited-realms" field in the
+ticket. The field is unordered, this is since there is no way to know if
+know if one of the transited-realms changed the order of the list.
+
+The syntax for `[capaths]' section:
+
+     [capaths]
+             CLIENT-REALM = {
+                     SERVER-REALM = PERMITTED-CROSS-REALMS ...
+             }
+
+The realm `STACKEN.KTH.SE' allows clients from `SU.SE' and `DSV.SU.SE'
+to cross in. Since `STACKEN.KTH.SE' only have direct cross realm with
+`KTH.SE', and `DSV.SU.SE' only have direct cross realm with `SU.SE'
+they need to use both `SU.SE' and `KTH.SE' as transit realms.
+
+     [capaths]
+     	SU.SE = {
+                         STACKEN.KTH.SE = KTH.SE
+     	}
+     	DSV.SU.SE = {
+                         STACKEN.KTH.SE = SU.SE KTH.SE
+     	}
+
+
+File: heimdal.info,  Node: Setting up DNS,  Prev: Transit policy,  Up: Setting up a realm
+
+Setting up DNS
+==============
+
+If there is information about where to find the KDC or kadmind for a
+realm in the `krb5.conf' for a realm, that information will be
+preferred and DNS will not be queried.
+
+Heimdal will try to use DNS to find the KDCs for a realm. First it will
+try to find `SRV' resource record (RR) for the realm. If no SRV RRs are
+found, it will fall back to looking for a `A' RR for a machine named
+kerberos.REALM, and then kerberos-1.REALM, etc
+
+Adding this information to DNS makes the client have less configuration
+(in the common case, no configuration) and allows the system
+administrator to change the number of KDCs and on what machines they
+are running without caring about clients.
+
+The backside of using DNS that the client might be fooled to use the
+wrong server if someone fakes DNS replies/data, but storing the IP
+addresses of the KDC on all the clients makes it very hard to change
+the infrastructure.
+
+Example of the configuration for the realm `EXAMPLE.COM',
+
+
+     $ORIGIN example.com.
+     _kerberos._tcp          SRV     10 1 88 kerberos.example.com.
+     _kerberos._udp          SRV     10 1 88 kerberos.example.com.
+     _kerberos._tcp          SRV     10 1 88 kerberos-1.example.com.
+     _kerberos._udp          SRV     10 1 88 kerberos-1.example.com.
+     _kpasswd._udp           SRV     10 1 464 kerberos.example.com.
+     _kerberos-adm._tcp	SRV	10 1 749 kerberos.example.com.
+
+More information about DNS SRV resource records can be found in
+RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
 
 
 File: heimdal.info,  Node: Things in search for a better place,  Next: Kerberos 4 issues,  Prev: Setting up a realm,  Up: Top
@@ -1103,7 +1247,7 @@ big problem, but if you have run your kerberos realm for a few years,
 chances are big that you have quite a few `junk' principals.
 
 If you don't want this you can remove the `default_domain' statement,
-but then you will have to add entries for _all_ your hosts in the
+but then you will have to add entries for *all* your hosts in the
 `v4_instance_convert' section.
 
 Instead of doing this you can use DNS to convert instances. This is not
@@ -1141,120 +1285,6 @@ and you can't set any flags or do any other fancy stuff.
 To get this to work, you have to add another entry to inetd (since
 version 4 uses port 751, not 749).
 
-_And then there are a many more things you can do; more on this in a
-later version of this manual. Until then, UTSL._
-
-
-File: heimdal.info,  Node: kaserver,  Prev: Converting a version 4 database,  Up: Kerberos 4 issues
-
-kaserver
-========
-
-kaserver emulation
-------------------
-
-The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
-server with pre-authentication using Rx as the on-wire protocol. The kdc
-contains a minimalistic Rx implementation.
-
-There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
-Granting), and KAM (Maintenance). The KAA interface and KAT interface
-both passes over DES encrypted data-blobs (just like the
-Kerberos-protocol) and thus do not need any other protection.  The KAM
-interface uses `rxkad' (Kerberos authentication layer for Rx) for
-security and data protection, and is used for example for changing
-passwords.  This part is not implemented in the kdc.
-
-Another difference between the ka-protocol and the Kerberos 4 protocol
-is that the pass-phrase is salted with the cellname in the `string to
-key' function in the ka-protocol, while in the Kerberos 4 protocol there
-is no salting of the password at all. To make sure AFS-compatible keys
-are added to each principals when they are created or their password are
-changed, `afs3-salt' should be added to `[kadmin]default_keys'.
-
-Transarc AFS Windows client
----------------------------
-
-The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
-does not need a kaserver. The Windows client assumes that the Kerberos
-server is on the same machine as the AFS-database server. If you do not
-like to do that you can add a small program that runs on the database
-servers that forward all kerberos requests to the real kerberos server.
-A program that does this is `krb-forward'
-(<ftp://ftp.stacken.kth.se/pub/projekts/krb-forward>).
-
-
-File: heimdal.info,  Node: Windows 2000 compatability,  Next: Programming with Kerberos,  Prev: Kerberos 4 issues,  Up: Top
-
-Windows 2000 compatability
-**************************
-
-Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
-Kerberos 5.  Their implementation, however, has some quirks,
-peculiarities, and bugs.  This chapter is a short summary of the things
-that we have found out while trying to test Heimdal against Windows
-2000.  Another big problem with the Kerberos implementation in Windows
-2000 is that the available documentation is more focused on getting
-things to work rather than how they work and not that useful in figuring
-out how things really work.
-
-This information should apply to Heimdal 0.3a and Windows 2000
-Professional.  It's of course subject all the time and mostly consists
-of our not so inspired guesses.  Hopefully it's still somewhat useful.
-
-* Menu:
-
-* Configuring Windows 2000 to use a Heimdal KDC::
-* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::
-* Create account mappings::
-* Encryption types::
-* Authorization data::
-* Quirks of Windows 2000 KDC::
-* Useful links when reading about the Windows 2000::
-
-
-File: heimdal.info,  Node: Configuring Windows 2000 to use a Heimdal KDC,  Next: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC,  Prev: Windows 2000 compatability,  Up: Windows 2000 compatability
-
-Configuring Windows 2000 to use a Heimdal KDC
-=============================================
-
-You need the command line program called `ksetup.exe' which is available
-in the file `SUPPORT/TOOLS/SUPPORT.CAB' on the Windows 2000 Professional
-CD-ROM. This program is used to configure the Kerberos settings on a
-Workstation.
-
-`Ksetup' store the domain information under the registry key:
-`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains'.
-
-Use the kadmin program in Heimdal to create a host principal in the
-Kerberos realm.
-
-     unix% kadmin
-     kadmin> ank -pw password host/datan.my.domain
-
-You must configure the Workstation as a member of a workgroup, as
-opposed to a member in an NT domain, and specify the KDC server of the
-realm as follows:
-     C:> ksetup /setdomain MY.REALM
-     C:> ksetup /addkdc MY.REALM kdc.my.domain
-
-Set the machine password, i.e. create the local keytab:
-     C:> ksetup /setmachpassword password
-
-The workstation must now be rebooted.
-
-A mapping between local NT users and Kerberos principals must be
-specified, you have two choices:
-
-     C:> ksetup /mapuser user@MY.REALM nt_user
-
-This will map a user to a specific principal, this allows you to have
-other usernames in the realm than in your NT user database. (Don't ask
-me why on earth you would want that...)
-
-You can also say:
-     C:> ksetup /mapuser * *
-The Windows machine will now map any user to the corresponding
-principal, for example `nisse' to the principal `nisse@MY.REALM'.
-(This is most likely what you want.)
+*And then there are a many more things you can do; more on this in a
+later version of this manual. Until then, UTSL.*
 
diff --git a/kerberosV/src/doc/heimdal.info-2 b/kerberosV/src/doc/heimdal.info-2
index 0ca9b3f5d09..42d7466fd81 100644
--- a/kerberosV/src/doc/heimdal.info-2
+++ b/kerberosV/src/doc/heimdal.info-2
@@ -1,5 +1,5 @@
-This is heimdal.info, produced by makeinfo version 4.0 from
-heimdal.texi.
+This is Info file heimdal.info, produced by Makeinfo version 1.68 from
+the input file heimdal.texi.
 
 INFO-DIR-SECTION Heimdal
 START-INFO-DIR-ENTRY
@@ -7,6 +7,120 @@ START-INFO-DIR-ENTRY
 END-INFO-DIR-ENTRY
 
 
+File: heimdal.info,  Node: kaserver,  Prev: Converting a version 4 database,  Up: Kerberos 4 issues
+
+kaserver
+========
+
+kaserver emulation
+------------------
+
+The Heimdal kdc can emulate a kaserver. The kaserver is a Kerberos 4
+server with pre-authentication using Rx as the on-wire protocol. The kdc
+contains a minimalistic Rx implementation.
+
+There are three parts of the kaserver; KAA (Authentication), KAT (Ticket
+Granting), and KAM (Maintenance). The KAA interface and KAT interface
+both passes over DES encrypted data-blobs (just like the
+Kerberos-protocol) and thus do not need any other protection.  The KAM
+interface uses `rxkad' (Kerberos authentication layer for Rx) for
+security and data protection, and is used for example for changing
+passwords.  This part is not implemented in the kdc.
+
+Another difference between the ka-protocol and the Kerberos 4 protocol
+is that the pass-phrase is salted with the cellname in the `string to
+key' function in the ka-protocol, while in the Kerberos 4 protocol there
+is no salting of the password at all. To make sure AFS-compatible keys
+are added to each principals when they are created or their password are
+changed, `afs3-salt' should be added to `[kadmin]default_keys'.
+
+Transarc AFS Windows client
+---------------------------
+
+The Transarc Windows client uses Kerberos 4 to obtain tokens, and thus
+does not need a kaserver. The Windows client assumes that the Kerberos
+server is on the same machine as the AFS-database server. If you do not
+like to do that you can add a small program that runs on the database
+servers that forward all kerberos requests to the real kerberos server.
+A program that does this is `krb-forward'
+(`ftp://ftp.stacken.kth.se/pub/projekts/krb-forward').
+
+
+File: heimdal.info,  Node: Windows 2000 compatability,  Next: Programming with Kerberos,  Prev: Kerberos 4 issues,  Up: Top
+
+Windows 2000 compatability
+**************************
+
+Windows 2000 (formerly known as Windows NT 5) from Microsoft implements
+Kerberos 5.  Their implementation, however, has some quirks,
+peculiarities, and bugs.  This chapter is a short summary of the things
+that we have found out while trying to test Heimdal against Windows
+2000.  Another big problem with the Kerberos implementation in Windows
+2000 is that the available documentation is more focused on getting
+things to work rather than how they work and not that useful in figuring
+out how things really work.
+
+This information should apply to Heimdal 0.3a and Windows 2000
+Professional.  It's of course subject all the time and mostly consists
+of our not so inspired guesses.  Hopefully it's still somewhat useful.
+
+* Menu:
+
+* Configuring Windows 2000 to use a Heimdal KDC::
+* Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC::
+* Create account mappings::
+* Encryption types::
+* Authorization data::
+* Quirks of Windows 2000 KDC::
+* Useful links when reading about the Windows 2000::
+
+
+File: heimdal.info,  Node: Configuring Windows 2000 to use a Heimdal KDC,  Next: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC,  Prev: Windows 2000 compatability,  Up: Windows 2000 compatability
+
+Configuring Windows 2000 to use a Heimdal KDC
+=============================================
+
+You need the command line program called `ksetup.exe' which is available
+in the file `SUPPORT/TOOLS/SUPPORT.CAB' on the Windows 2000 Professional
+CD-ROM. This program is used to configure the Kerberos settings on a
+Workstation.
+
+`Ksetup' store the domain information under the registry key:
+`HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains'.
+
+Use the kadmin program in Heimdal to create a host principal in the
+Kerberos realm.
+
+     unix% kadmin
+     kadmin> ank -pw password host/datan.my.domain
+
+You must configure the Workstation as a member of a workgroup, as
+opposed to a member in an NT domain, and specify the KDC server of the
+realm as follows:
+     C:> ksetup /setdomain MY.REALM
+     C:> ksetup /addkdc MY.REALM kdc.my.domain
+
+Set the machine password, i.e. create the local keytab:
+     C:> ksetup /setmachpassword password
+
+The workstation must now be rebooted.
+
+A mapping between local NT users and Kerberos principals must be
+specified, you have two choices:
+
+     C:> ksetup /mapuser user@MY.REALM nt_user
+
+This will map a user to a specific principal, this allows you to have
+other usernames in the realm than in your NT user database. (Don't ask
+me why on earth you would want that...)
+
+You can also say:
+     C:> ksetup /mapuser * *
+The Windows machine will now map any user to the corresponding
+principal, for example `nisse' to the principal `nisse@MY.REALM'.
+(This is most likely what you want.)
+
+
 File: heimdal.info,  Node: Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC,  Next: Create account mappings,  Prev: Configuring Windows 2000 to use a Heimdal KDC,  Up: Windows 2000 compatability
 
 Inter-Realm keys (trust) between Windows 2000 and a Heimdal KDC
@@ -149,7 +263,7 @@ required.
 
 Microsoft seems also to have forgotten to implement the checksum
 algorithms `rsa-md4-des' and `rsa-md5-des'. This can make Name mapping
-(*note Create account mappings::) fail if a `des-cbc-md5' key is used.
+(*note Create account mappings::.) fail if a `des-cbc-md5' key is used.
 To make the KDC return only `des-cbc-crc' you must delete the
 `des-cbc-md5' key from the kdc using the `kadmin del_enctype' command.
 
@@ -172,44 +286,82 @@ Useful links when reading about the Windows 2000
 
 See also our paper presented at the 2001 usenix Annual Technical
 Conference, available in the proceedings or at
-<http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html>.
+`http://www.usenix.org/publications/library/proceedings/usenix01/freenix01/westerlund.html'.
 
 There are lots of text about Kerberos on Microsoft's web site, here is a
 short list of the interesting documents that we have managed to find.
 
    * Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability -
-     <http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp>
+
+
+
+
+
+
+
+
+
+
+
+     `http://www.microsoft.com/windows2000/library/planning/security/kerbsteps.asp'
      Kerberos GSS-API (in Windows-ize SSPI), Windows as a client in a
      non-Windows KDC realm, adding unix clients to a Windows 2000 KDC,
      and adding cross-realm trust (*Note Inter-Realm keys (trust)
      between Windows 2000 and a Heimdal KDC::.).
 
    * Windows 2000 Kerberos Authentication -
-     <http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp>
+
+
+
+
+
+
+     `http://www.microsoft.com/TechNet/win2000/win2ksrv/technote/kerberos.asp'
      White paper that describes how Kerberos is used in Windows 2000.
 
    * Overview of kerberos -
-     <http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP>
+     `http://support.microsoft.com/support/kb/articles/Q248/7/58.ASP'
      Links to useful other links.
 
    * Klist for windows -
-     <http://msdn.microsoft.com/library/periodic/period00/security0500.htm>
+
+
+
+     `http://msdn.microsoft.com/library/periodic/period00/security0500.htm'
      Describes where to get a klist for Windows 2000.
 
    * Event logging for kerberos -
-     <http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP>.
+     `http://support.microsoft.com/support/kb/articles/Q262/1/77.ASP'.
      Basicly it say that you can add a registry key
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
      `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel'
      with value DWORD equal to 1, and then you'll get logging in the
      Event Logger.
 
    * Access to the active directory through LDAP
-     <http://msdn.microsoft.com/library/techart/kerberossamp.htm>
-
+     `http://msdn.microsoft.com/library/techart/kerberossamp.htm'
 
 Other useful programs include these:
 
-   * pwdump2 <http://www.webspan.net/~tas/pwdump2/>
+   * pwdump2 `http://www.webspan.net/~tas/pwdump2/'
 
 
 File: heimdal.info,  Node: Programming with Kerberos,  Next: Migration,  Prev: Windows 2000 compatability,  Up: Top
@@ -218,7 +370,7 @@ Programming with Kerberos
 *************************
 
 First you need to know how the Kerberos model works, go read the
-introduction text (*note What is Kerberos?::).
+introduction text (*note What is Kerberos?::.).
 
 * Menu:
 
@@ -515,7 +667,6 @@ Order in what to do things:
      using KPOP, and Zephyr. Eudora can use the Kerberos 4 kerberos in
      the Heimdal kdc.
 
-
 
 File: heimdal.info,  Node: Acknowledgments,  Prev: Migration,  Up: Top
 
@@ -564,7 +715,7 @@ Marc Horowitz
      <marc@cygnus.com>
 
 Luke Howard
-     <lukeh@xedoc.com.au>
+     <lukeh@PADL.COM>
 
 Brandon S. Allbery KF8NH
      <allbery@kf8nh.apk.net>
diff --git a/kerberosV/src/include/config.h.in b/kerberosV/src/include/config.h.in
index 0dde9922b56..147b3cef6ba 100644
--- a/kerberosV/src/include/config.h.in
+++ b/kerberosV/src/include/config.h.in
@@ -1326,9 +1326,11 @@ static /**/const char *const rcsid[] = { (const char *)rcsid, "@(#)" msg }
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef gid_t
 
-/* Define as `__inline' if that's what the C compiler calls it, or to nothing
-   if it is not supported. */
+/* Define to `__inline__' or `__inline' if that's what the C compiler
+   calls it, or to nothing if 'inline' is not supported under any name.  */
+#ifndef __cplusplus
 #undef inline
+#endif
 
 /* Define this to what the type mode_t should be. */
 #undef mode_t
diff --git a/kerberosV/src/kadmin/ChangeLog b/kerberosV/src/kadmin/ChangeLog
index 093835e98be..8bfbeed7fd5 100644
--- a/kerberosV/src/kadmin/ChangeLog
+++ b/kerberosV/src/kadmin/ChangeLog
@@ -1,3 +1,10 @@
+2004-04-29  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* version4.c: 1.30: (handle_v4): make sure length is longer then
+	2, Pointed out by Evgeny Demidov <demidov@gleg.net>
+	
+	* kadmind.c: 1.31: make kerberos4 support default turned off
+	
 2003-04-14  Love Hörquist Åstrand  <lha@it.su.se>
 
 	* util.c: cast argument to tolower to unsigned char, from
diff --git a/kerberosV/src/lib/asn1/der_free.c b/kerberosV/src/lib/asn1/der_free.c
index c2102d0f510..42753afe7b1 100644
--- a/kerberosV/src/lib/asn1/der_free.c
+++ b/kerberosV/src/lib/asn1/der_free.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,22 +33,25 @@
 
 #include "der_locl.h"
 
-RCSID("$KTH: der_free.c,v 1.8 2001/09/25 13:39:26 assar Exp $");
+RCSID("$KTH: der_free.c,v 1.8.6.1 2003/08/20 16:24:20 joda Exp $");
 
 void
 free_general_string (general_string *str)
 {
     free(*str);
+    *str = NULL;
 }
 
 void
 free_octet_string (octet_string *k)
 {
     free(k->data);
+    k->data = NULL;
 }
 
 void
 free_oid (oid *k)
 {
     free(k->components);
+    k->components = NULL;
 }
diff --git a/kerberosV/src/lib/asn1/der_length.c b/kerberosV/src/lib/asn1/der_length.c
index 84405f6dbd5..f2bcbda2269 100644
--- a/kerberosV/src/lib/asn1/der_length.c
+++ b/kerberosV/src/lib/asn1/der_length.c
@@ -33,10 +33,10 @@
 
 #include "der_locl.h"
 
-RCSID("$KTH: der_length.c,v 1.12 2001/09/25 13:39:26 assar Exp $");
+RCSID("$KTH: der_length.c,v 1.12.6.2 2004/02/12 18:45:51 joda Exp $");
 
-static size_t
-len_unsigned (unsigned val)
+size_t
+_heim_len_unsigned (unsigned val)
 {
   size_t ret = 0;
 
@@ -47,24 +47,31 @@ len_unsigned (unsigned val)
   return ret;
 }
 
-static size_t
-len_int (int val)
+size_t
+_heim_len_int (int val)
 {
-  size_t ret = 0;
-
-  if (val == 0)
-    return 1;
-  while (val > 255 || val < -255) {
-    ++ret;
-    val /= 256;
-  }
-  if (val != 0) {
-    ++ret;
-    if ((signed char)val != val)
-      ++ret;
-    val /= 256;
-  }
-  return ret;
+    unsigned char q;
+    size_t ret = 0;
+
+    if (val >= 0) {
+	do {
+	    q = val % 256;
+	    ret++;
+	    val /= 256;
+	} while(val);
+	if(q >= 128)
+	    ret++;
+    } else {
+	val = ~val;
+	do {
+	    q = ~(val % 256);
+	    ret++;
+	    val /= 256;
+	} while(val);
+	if(q < 128)
+	    ret++;
+    }
+    return ret;
 }
 
 static size_t
@@ -89,16 +96,16 @@ len_oid (const oid *oid)
 size_t
 length_len (size_t len)
 {
-  if (len < 128)
-    return 1;
-  else
-    return len_unsigned (len) + 1;
+    if (len < 128)
+	return 1;
+    else
+	return _heim_len_unsigned (len) + 1;
 }
 
 size_t
 length_integer (const int *data)
 {
-  size_t len = len_int (*data);
+    size_t len = _heim_len_int (*data);
 
   return 1 + length_len(len) + len;
 }
@@ -106,7 +113,7 @@ length_integer (const int *data)
 size_t
 length_unsigned (const unsigned *data)
 {
-  size_t len = len_unsigned (*data);
+  size_t len = _heim_len_unsigned (*data);
 
   return 1 + length_len(len) + len;
 }
@@ -114,7 +121,7 @@ length_unsigned (const unsigned *data)
 size_t
 length_enumerated (const unsigned *data)
 {
-  size_t len = len_int (*data);
+    size_t len = _heim_len_int (*data);
 
   return 1 + length_len(len) + len;
 }
diff --git a/kerberosV/src/lib/asn1/der_locl.h b/kerberosV/src/lib/asn1/der_locl.h
index ccfadf84ed2..e3e5019468b 100644
--- a/kerberosV/src/lib/asn1/der_locl.h
+++ b/kerberosV/src/lib/asn1/der_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $KTH: der_locl.h,v 1.4 2001/09/27 16:21:47 assar Exp $ */
+/* $KTH: der_locl.h,v 1.4.6.1 2004/02/09 17:54:05 lha Exp $ */
 
 #ifndef __DER_LOCL_H__
 #define __DER_LOCL_H__
@@ -53,4 +53,7 @@
 #include <asn1_err.h>
 #include <der.h>
 
+size_t _heim_len_unsigned (unsigned);
+size_t _heim_len_int (int);
+
 #endif /* __DER_LOCL_H__ */
diff --git a/kerberosV/src/lib/asn1/gen_free.c b/kerberosV/src/lib/asn1/gen_free.c
index c1921f501bb..289aab0ec0f 100644
--- a/kerberosV/src/lib/asn1/gen_free.c
+++ b/kerberosV/src/lib/asn1/gen_free.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$KTH: gen_free.c,v 1.9 2001/09/25 13:39:26 assar Exp $");
+RCSID("$KTH: gen_free.c,v 1.9.6.1 2003/08/20 16:25:01 joda Exp $");
 
 static void
 free_primitive (const char *typename, const char *name)
@@ -82,7 +82,8 @@ free_type (const char *name, const Type *t)
 	  if(m->optional)
 	      fprintf(codefile, 
 		      "free(%s);\n"
-		      "}\n",s);
+		      "%s = NULL;\n"
+		      "}\n", s, s);
 	  if (tag == -1)
 	      tag = m->val;
 	  free (s);
@@ -100,7 +101,8 @@ free_type (const char *name, const Type *t)
 	      "}\n",
 	      name);
       fprintf(codefile,
-	      "free((%s)->val);\n", name);
+	      "free((%s)->val);\n"
+	      "(%s)->val = NULL;\n", name, name);
       free(n);
       break;
   }
diff --git a/kerberosV/src/lib/asn1/gen_length.c b/kerberosV/src/lib/asn1/gen_length.c
index 83d093586f7..065c55163ed 100644
--- a/kerberosV/src/lib/asn1/gen_length.c
+++ b/kerberosV/src/lib/asn1/gen_length.c
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$KTH: gen_length.c,v 1.11 2001/09/25 13:39:26 assar Exp $");
+RCSID("$KTH: gen_length.c,v 1.11.6.1 2004/01/26 09:26:10 lha Exp $");
 
 static void
 length_primitive (const char *typename,
@@ -126,8 +126,12 @@ length_type (const char *name, const Type *t, const char *variable)
 		 variable, variable);
 
 	fprintf (codefile, "for(i = (%s)->len - 1; i >= 0; --i){\n", name);
+	fprintf (codefile, "int oldret = %s;\n"
+		 "%s = 0;\n", variable, variable);
 	asprintf (&n, "&(%s)->val[i]", name);
 	length_type(n, t->subtype, variable);
+	fprintf (codefile, "%s += oldret;\n",
+		 variable);
 	fprintf (codefile, "}\n");
 
 	fprintf (codefile,
diff --git a/kerberosV/src/lib/asn1/k5.asn1 b/kerberosV/src/lib/asn1/k5.asn1
index b015dea1cf4..b468fd74628 100644
--- a/kerberosV/src/lib/asn1/k5.asn1
+++ b/kerberosV/src/lib/asn1/k5.asn1
@@ -1,4 +1,4 @@
--- $KTH: k5.asn1,v 1.28 2003/01/15 03:13:47 lha Exp $
+-- $KTH: k5.asn1,v 1.28.2.1 2004/06/21 08:25:45 lha Exp $
 
 KERBEROS5 DEFINITIONS ::=
 BEGIN
@@ -51,6 +51,7 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-PK-AS-SIGN(16), -- (PKINIT)
 	KRB5-PADATA-PK-KEY-REQ(17), -- (PKINIT)
 	KRB5-PADATA-PK-KEY-REP(18), -- (PKINIT)
+	KRB5-PADATA-ETYPE-INFO2(19),
 	KRB5-PADATA-USE-SPECIFIED-KVNO(20),
 	KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
 	KRB5-PADATA-GET-FROM-TYPED-DATA(22),
@@ -440,6 +441,12 @@ KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
 	e-data[12]		OCTET STRING OPTIONAL
 }
 
+ChangePasswdDataMS ::= SEQUENCE {
+	newpasswd[0]		OCTET STRING,
+	targname[1]		PrincipalName OPTIONAL,
+	targrealm[2]		Realm OPTIONAL
+}
+
 pvno INTEGER ::= 5 -- current Kerberos protocol version number
 
 -- transited encodings
diff --git a/kerberosV/src/lib/des/des.cat1 b/kerberosV/src/lib/des/des.cat1
new file mode 100644
index 00000000000..9a78c18de35
--- /dev/null
+++ b/kerberosV/src/lib/des/des.cat1
@@ -0,0 +1,132 @@
+
+
+
+DES(1)                                                                 DES(1)
+
+
+
+NAME
+  des - encrypt or decrypt data using Data Encryption Standard
+
+SYNOPSIS
+  ddeess ( --ee | --EE ) | ( --dd | --DD ) | ( --[ccCC][cckknnaammee] ) | [ --bb33hhffss ] [ --kk _k_e_y ] ]
+  [ --uu[_u_u_n_a_m_e] [ _i_n_p_u_t_-_f_i_l_e [ _o_u_t_p_u_t_-_f_i_l_e ] ]
+
+DESCRIPTION
+  ddeess encrypts and decrypts data using the Data Encryption Standard algo-
+  rithm.  One of --ee,, --EE (for encrypt) or --dd,, --DD (for decrypt) must be speci-
+  fied.  It is also possible to use --cc or --CC in conjunction or instead of the
+  a encrypt/decrypt option to generate a 16 character hexadecimal checksum,
+  generated via the _d_e_s___c_b_c___c_k_s_u_m_.
+
+  Two standard encryption modes are supported by the ddeess program, Cipher
+  Block Chaining (the default) and Electronic Code Book (specified with --bb ).
+
+  The key used for the DES algorithm is obtained by prompting the user unless
+  the ``--kk _k_e_y_' option is given.  If the key is an argument to the ddeess com-
+  mand, it is potentially visible to users executing ppss(1) or a derivative.
+  To minimise this possibility, ddeess takes care to destroy the key argument
+  immediately upon entry.  If your shell keeps a history file be careful to
+  make sure it is not world readable.
+
+  Since this program attempts to maintain compatibility with SunOS's des(1)
+  command, there are 2 different methods used to convert the user supplied
+  key to a des key.  Whenever and one or more of --EE,, --DD,, --CC or --33 options are
+  used, the key conversion procedure will not be compatible with the SunOS
+  des(1) version but will use all the user supplied character to generate the
+  des key.  ddeess command reads from standard input unless _i_n_p_u_t_-_f_i_l_e is speci-
+  fied and writes to standard output unless _o_u_t_p_u_t_-_f_i_l_e is given.
+
+OPTIONS
+
+  --bb   Select ECB (eight bytes at a time) encryption mode.
+
+  --33   Encrypt using triple encryption.  By default triple cbc encryption is
+       used but if the --bb option is used then triple ecb encryption is per-
+       formed.  If the key is less than 8 characters long, the flag has no
+       effect.
+
+  --ee   Encrypt data using an 8 byte key in a manner compatible with SunOS
+       des(1).
+
+  --EE   Encrypt data using a key of nearly unlimited length (1024 bytes).
+       This will product a more secure encryption.
+
+  --dd   Decrypt data that was encrypted with the -e option.
+
+  --DD   Decrypt data that was encrypted with the -E option.
+
+  --cc   Generate a 16 character hexadecimal cbc checksum and output this to
+       stderr.  If a filename was specified after the --cc option, the checksum
+       is output to that file.  The checksum is generated using a key gener-
+       ated in a SunOS compatible manner.
+
+  --CC   A cbc checksum is generated in the same manner as described for the --cc
+       option but the DES key is generated in the same manner as used for the
+       --EE and --DD options
+
+  --ff   Does nothing - allowed for compatibility with SunOS des(1) command.
+
+  --ss   Does nothing - allowed for compatibility with SunOS des(1) command.
+
+  --kk _k_e_y
+       Use the encryption _k_e_y specified.
+
+  --hh   The _k_e_y is assumed to be a 16 character hexadecimal number.  If the --33
+       option is used the key is assumed to be a 32 character hexadecimal
+       number.
+
+  --uu   This flag is used to read and write uuencoded files.  If decrypting,
+       the input file is assumed to contain uuencoded, DES encrypted data.
+       If encrypting, the characters following the -u are used as the name of
+       the uuencoded file to embed in the begin line of the uuencoded output.
+       If there is no name specified after the -u, the name text.des will be
+       embedded in the header.
+
+SEE ALSO
+  ppss ((11)) ddeess__ccrryypptt((33))
+
+BUGS
+
+  The problem with using the --ee option is the short key length.  It would be
+  better to use a real 56-bit key rather than an ASCII-based 56-bit pattern.
+  Knowing that the key was derived from ASCII radically reduces the time nec-
+  essary for a brute-force cryptographic attack.  My attempt to remove this
+  problem is to add an alternative text-key to DES-key function.  This alter-
+  native function (accessed via --EE,, --DD,, --SS and --33 ) uses DES to help generate
+  the key.
+
+  Be carefully when using the -u option.  Doing des -ud <filename> will not
+  decrypt filename (the -u option will gobble the d option).
+
+  The VMS operating system operates in a world where files are always a mul-
+  tiple of 512 bytes.  This causes problems when encrypted data is send from
+  unix to VMS since a 88 byte file will suddenly be padded with 424 null
+  bytes.  To get around this problem, use the -u option to uuencode the data
+  before it is send to the VMS system.
+
+AUTHOR
+
+  Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/kerberosV/src/lib/des/des_crypt.cat3 b/kerberosV/src/lib/des/des_crypt.cat3
new file mode 100644
index 00000000000..f7370a3af59
--- /dev/null
+++ b/kerberosV/src/lib/des/des_crypt.cat3
@@ -0,0 +1,264 @@
+
+
+
+DES_CRYPT(3)                                                     DES_CRYPT(3)
+
+
+
+NAME
+  des_read_password, des_string_to_key, des_random_key, des_set_key,
+  des_ecb_encrypt, des_cbc_encrypt, des_pcbc_encrypt, des_cbc_cksum,
+  des_quad_cksum, - (new) DES encryption
+
+SYNOPSIS
+  ##iinncclluuddee <<ddeess..hh>>
+
+  iinntt ddeess__rreeaadd__ppaasssswwoorrdd((kkeeyy,,pprroommpptt,,vveerriiffyy))
+  des_cblock *key;
+  char *prompt;
+  int verify;
+
+  iinntt ddeess__ssttrriinngg__ttoo__kkeeyy((ssttrr,,kkeeyy))
+  cchhaarr **ssttrr;;
+  ddeess__ccbblloocckk kkeeyy;;
+
+  iinntt ddeess__rraannddoomm__kkeeyy((kkeeyy))
+  ddeess__ccbblloocckk **kkeeyy;;
+
+  iinntt ddeess__sseett__kkeeyy((kkeeyy,,sscchheedduullee))
+  ddeess__ccbblloocckk **kkeeyy;;
+  ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
+
+  iinntt ddeess__eeccbb__eennccrryypptt((iinnppuutt,,oouuttppuutt,,sscchheedduullee,,eennccrryypptt))
+  ddeess__ccbblloocckk **iinnppuutt;;
+  ddeess__ccbblloocckk **oouuttppuutt;;
+  ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
+  iinntt eennccrryypptt;;
+
+  iinntt ddeess__ccbbcc__eennccrryypptt((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc,,eennccrryypptt))
+  ddeess__ccbblloocckk **iinnppuutt;;
+  ddeess__ccbblloocckk **oouuttppuutt;;
+  lloonngg lleennggtthh;;
+  ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
+  ddeess__ccbblloocckk **iivveecc;;
+  iinntt eennccrryypptt;;
+
+  iinntt ddeess__ppccbbcc__eennccrryypptt((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc,,eennccrryypptt))
+  ddeess__ccbblloocckk **iinnppuutt;;
+  ddeess__ccbblloocckk **oouuttppuutt;;
+  lloonngg lleennggtthh;;
+  ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
+  ddeess__ccbblloocckk **iivveecc;;
+  iinntt eennccrryypptt;;
+
+  uunnssiiggnneedd lloonngg ddeess__ccbbcc__cckkssuumm((iinnppuutt,,oouuttppuutt,,lleennggtthh,,sscchheedduullee,,iivveecc))
+  ddeess__ccbblloocckk **iinnppuutt;;
+  ddeess__ccbblloocckk **oouuttppuutt;;
+  lloonngg lleennggtthh;;
+  ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
+  ddeess__ccbblloocckk **iivveecc;;
+
+  uunnssiiggnneedd lloonngg qquuaadd__cckkssuumm((iinnppuutt,,oouuttppuutt,,lleennggtthh,,oouutt__ccoouunntt,,sseeeedd))
+  ddeess__ccbblloocckk **iinnppuutt;;
+  ddeess__ccbblloocckk **oouuttppuutt;;
+  lloonngg lleennggtthh;;
+  iinntt oouutt__ccoouunntt;;
+  ddeess__ccbblloocckk **sseeeedd;;
+
+DESCRIPTION
+  This library supports various DES encryption related operations. It differs
+  from the _c_r_y_p_t_, _s_e_t_k_e_y_, _a_n_d _e_n_c_r_y_p_t library routines in that it provides a
+  true DES encryption, without modifying the algorithm, and executes much
+  faster.
+
+  For each key that may be simultaneously active, create a ddeess__kkeeyy__sscchheedduullee
+  struct, defined in "des.h". Next, create key schedules (from the 8-byte
+  keys) as needed, via _d_e_s___s_e_t___k_e_y_, prior to using the encryption or checksum
+  routines. Then setup the input and output areas.  Make sure to note the
+  restrictions on lengths being multiples of eight bytes. Finally, invoke the
+  encryption/decryption routines, _d_e_s___e_c_b___e_n_c_r_y_p_t or _d_e_s___c_b_c___e_n_c_r_y_p_t or
+  _d_e_s___p_c_b_c___e_n_c_r_y_p_t_, or, to generate a cryptographic checksum, use _q_u_a_d___c_k_s_u_m
+  (fast) or _d_e_s___c_b_c___c_k_s_u_m (slow).
+
+  A _d_e_s___c_b_l_o_c_k struct is an 8 byte block used as the fundamental unit for DES
+  data and keys, and is defined as:
+
+  ttyyppeeddeeff uunnssiiggnneedd cchhaarr ddeess__ccbblloocckk[[88]];;
+
+  and a _d_e_s___k_e_y___s_c_h_e_d_u_l_e_, is defined as:
+
+  ttyyppeeddeeff ssttrruucctt ddeess__kkss__ssttrruucctt {{ddeess__ccbblloocckk __;;}} ddeess__kkeeyy__sscchheedduullee[[1166]];;
+
+  _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d writes the string specified by _p_r_o_m_p_t to the standard
+  output, turns off echo (if possible) and reads an input string from stan-
+  dard input until terminated with a newline.  If _v_e_r_i_f_y is non-zero, it
+  prompts and reads input again, for use in applications such as changing a
+  password; both versions are compared, and the input is requested repeatedly
+  until they match.  Then _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d converts the input string into a
+  valid DES key, internally using the _d_e_s___s_t_r_i_n_g___t_o___k_e_y routine.  The newly
+  created key is copied to the area pointed to by the _k_e_y argument.
+  _d_e_s___r_e_a_d___p_a_s_s_w_o_r_d returns a zero if no errors occurred, or a -1 indicating
+  that an error occurred trying to manipulate the terminal echo.
+
+  _d_e_s___s_t_r_i_n_g___t_o___k_e_y converts an arbitrary length null-terminated string to an
+  8 byte DES key, with odd byte parity, per FIPS specification.  A one-way
+  function is used to convert the string to a key, making it very difficult
+  to reconstruct the string from the key.  The _s_t_r argument is a pointer to
+  the string, and _k_e_y should point to a _d_e_s___c_b_l_o_c_k supplied by the caller to
+  receive the generated key.  No meaningful value is returned. Void is not
+  used for compatibility with other compilers.
+
+  _d_e_s___r_a_n_d_o_m___k_e_y generates a random DES encryption key (eight bytes), set to
+  odd parity per FIPS specifications.  This routine uses the current time,
+  process id, and a counter as a seed for the random number generator.  The
+  caller must  supply space for the output key, pointed to by argument _k_e_y_,
+  then after calling _d_e_s___r_a_n_d_o_m___k_e_y should call the _d_e_s___s_e_t___k_e_y routine when
+  needed.  No meaningful value is returned.  Void is not used for compatibil-
+  ity with other compilers.
+
+  _d_e_s___s_e_t___k_e_y calculates a key schedule from all eight bytes of the input
+  key, pointed to by the _k_e_y argument, and outputs the schedule into the
+  _d_e_s___k_e_y___s_c_h_e_d_u_l_e indicated by the _s_c_h_e_d_u_l_e argument. Make sure to pass a
+  valid eight byte key; no padding is done.  The key schedule may then be
+  used in subsequent encryption/decryption/checksum operations.  Many key
+  schedules may be cached for later use.  The user is responsible to clear
+  keys and schedules as soon as no longer needed, to prevent their disclo-
+  sure.  The routine also checks the key parity, and returns a zero if the
+  key parity is correct (odd), a -1 indicating a key parity error, or a -2
+  indicating use of an illegal weak key. If an error is returned, the key
+  schedule was not created.
+
+  _d_e_s___e_c_b___e_n_c_r_y_p_t is the basic DES encryption routine that encrypts or
+  decrypts a single 8-byte block in eelleeccttrroonniicc ccooddee bbooookk mode.  It always
+  transforms the input data, pointed to by _i_n_p_u_t_, into the output data,
+  pointed to by the _o_u_t_p_u_t argument.
+
+  If the _e_n_c_r_y_p_t argument is non-zero, the _i_n_p_u_t (cleartext) is encrypted
+  into the _o_u_t_p_u_t (ciphertext) using the key_schedule specified by the _s_c_h_e_d_-
+  _u_l_e argument, previously set via _d_e_s___s_e_t___k_e_y
+
+  If encrypt is zero, the _i_n_p_u_t (now ciphertext) is decrypted into the _o_u_t_p_u_t
+  (now cleartext).
+
+  Input and output may overlap.
+
+  No meaningful value is returned.  Void is not used for compatibility with
+  other compilers.
+
+  _d_e_s___c_b_c___e_n_c_r_y_p_t encrypts/decrypts using the cciipphheerr--bblloocckk--cchhaaiinniinngg mmooddee ooff
+  DDEESS..  If the _e_n_c_r_y_p_t argument is non-zero, the routine cipher-block-chain
+  encrypts the cleartext data pointed to by the _i_n_p_u_t argument into the
+  ciphertext pointed to by the _o_u_t_p_u_t argument, using the key schedule pro-
+  vided by the _s_c_h_e_d_u_l_e argument, and initialization vector provided by the
+  _i_v_e_c argument.  If the _l_e_n_g_t_h argument is not an integral multiple of eight
+  bytes, the last block is copied to a temp and zero filled (highest
+  addresses).  The output is ALWAYS an integral multiple of eight bytes.
+
+  If _e_n_c_r_y_p_t is zero, the routine cipher-block chain decrypts the (now)
+  ciphertext data pointed to by the _i_n_p_u_t argument into (now) cleartext
+  pointed to by the _o_u_t_p_u_t argument using the key schedule provided by the
+  _s_c_h_e_d_u_l_e argument, and initialization vector provided by the _i_v_e_c argument.
+  Decryption ALWAYS operates on integral multiples of 8 bytes, so it will
+  round the _l_e_n_g_t_h provided up to the appropriate multiple. Consequently, it
+  will always produce the rounded-up number of bytes of output cleartext. The
+  application must determine if the output cleartext was zero-padded due to
+  original cleartext lengths that were not integral multiples of 8.
+
+  No errors or meaningful values are returned.  Void is not used for compati-
+  bility with other compilers.
+
+  A characteristic of cbc mode is that changing a single bit of the cleart-
+  ext, then encrypting using cbc mode, affects ALL the subsequent ciphertext.
+  This makes cryptanalysis much more difficult. However, modifying a single
+  bit of the ciphertext, then decrypting, only affects the resulting cleart-
+  ext from the modified block and the succeeding block.  Therefore,
+  _d_e_s___p_c_b_c___e_n_c_r_y_p_t is STRONGLY recommended for applications where indefinite
+  propagation of errors is required in order to detect modifications.
+
+  _d_e_s___p_c_b_c___e_n_c_r_y_p_t encrypts/decrypts using a modified block chaining mode.
+  Its calling sequence is identical to _d_e_s___c_b_c___e_n_c_r_y_p_t_.  It differs in its
+  error propagation characteristics.
+
+  _d_e_s___p_c_b_c___e_n_c_r_y_p_t is highly recommended for most encryption purposes, in
+  that modification of a single bit of the ciphertext will affect ALL the
+  subsequent (decrypted) cleartext. Similarly, modifying a single bit of the
+  cleartext will affect ALL the subsequent (encrypted) ciphertext.  "PCBC"
+  mode, on encryption, "xors" both the cleartext of block N and the cipher-
+  text resulting from block N with the cleartext for block N+1 prior to
+  encrypting block N+1.
+
+  _d_e_s___c_b_c___c_k_s_u_m produces an 8 byte cryptographic checksum by cipher-block-
+  chain encrypting the cleartext data pointed to by the _i_n_p_u_t argument. All
+  of the ciphertext output is discarded, except the last 8-byte ciphertext
+  block, which is written into the area pointed to by the _o_u_t_p_u_t argument.
+  It uses the key schedule, provided by the _s_c_h_e_d_u_l_e argument and initializa-
+  tion vector provided by the _i_v_e_c argument.  If the _l_e_n_g_t_h argument is not
+  an integral multiple of eight bytes, the last cleartext block is copied to
+  a temp and zero filled (highest addresses).  The output is ALWAYS eight
+  bytes.
+
+  The routine also returns an unsigned long, which is the last (highest
+  address) half of the 8 byte checksum computed.
+
+  _q_u_a_d___c_k_s_u_m produces a checksum by chaining quadratic operations on the
+  cleartext data pointed to by the _i_n_p_u_t argument. The _l_e_n_g_t_h argument speci-
+  fies the length of the input -- only exactly that many bytes are included
+  for the checksum, without any padding.
+
+  The algorithm may be iterated over the same input data, if the _o_u_t___c_o_u_n_t
+  argument is 2, 3 or 4, and the optional _o_u_t_p_u_t argument is a non-null
+  pointer .  The default is one iteration, and it will not run more than 4
+  times. Multiple iterations run slower, but provide a longer checksum if
+  desired. The _s_e_e_d argument provides an 8-byte seed for the first iteration.
+  If multiple iterations are requested, the results of one iteration are
+  automatically used as the seed for the next iteration.
+
+  It returns both an unsigned long checksum value, and if the _o_u_t_p_u_t argument
+  is not a null pointer, up to 16 bytes of the computed checksum are written
+  into the output.
+
+FILES
+  /usr/include/des.h
+  /usr/lib/libdes.a
+
+SEE ALSO
+
+DIAGNOSTICS
+
+BUGS
+  This software has not yet been compiled or tested on machines other than
+  the VAX and the IBM PC.
+
+AUTHORS
+  Steve Miller, MIT Project Athena/Digital Equipment Corporation
+
+RESTRICTIONS
+  COPYRIGHT 1985,1986 Massachusetts Institute of Technology
+
+  This software may not be exported outside of the US without a special
+  license from the US Dept of Commerce. It may be replaced by any secret key
+  block cipher with block length and key length of 8 bytes, as long as the
+  interface is the same as described here.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/kerberosV/src/lib/gssapi/8003.c b/kerberosV/src/lib/gssapi/8003.c
index d90df5ed227..992a5145c6f 100644
--- a/kerberosV/src/lib/gssapi/8003.c
+++ b/kerberosV/src/lib/gssapi/8003.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,10 +33,10 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: 8003.c,v 1.12 2002/10/31 14:38:49 joda Exp $");
+RCSID("$KTH: 8003.c,v 1.12.2.2 2003/09/18 21:30:57 lha Exp $");
 
-static krb5_error_code
-encode_om_uint32(OM_uint32 n, u_char *p)
+krb5_error_code
+gssapi_encode_om_uint32(OM_uint32 n, u_char *p)
 {
   p[0] = (n >> 0)  & 0xFF;
   p[1] = (n >> 8)  & 0xFF;
@@ -45,13 +45,30 @@ encode_om_uint32(OM_uint32 n, u_char *p)
   return 0;
 }
 
-static krb5_error_code
-decode_om_uint32(u_char *p, OM_uint32 *n)
+krb5_error_code
+gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p)
+{
+  p[0] = (n >> 24) & 0xFF;
+  p[1] = (n >> 16) & 0xFF;
+  p[2] = (n >> 8)  & 0xFF;
+  p[3] = (n >> 0)  & 0xFF;
+  return 0;
+}
+
+krb5_error_code
+gssapi_decode_om_uint32(u_char *p, OM_uint32 *n)
 {
     *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
     return 0;
 }
 
+krb5_error_code
+gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n)
+{
+    *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
+    return 0;
+}
+
 static krb5_error_code
 hash_input_chan_bindings (const gss_channel_bindings_t b,
 			  u_char *p)
@@ -60,23 +77,23 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
   MD5_CTX md5;
 
   MD5_Init(&md5);
-  encode_om_uint32 (b->initiator_addrtype, num);
+  gssapi_encode_om_uint32 (b->initiator_addrtype, num);
   MD5_Update (&md5, num, sizeof(num));
-  encode_om_uint32 (b->initiator_address.length, num);
+  gssapi_encode_om_uint32 (b->initiator_address.length, num);
   MD5_Update (&md5, num, sizeof(num));
   if (b->initiator_address.length)
     MD5_Update (&md5,
 		b->initiator_address.value,
 		b->initiator_address.length);
-  encode_om_uint32 (b->acceptor_addrtype, num);
+  gssapi_encode_om_uint32 (b->acceptor_addrtype, num);
   MD5_Update (&md5, num, sizeof(num));
-  encode_om_uint32 (b->acceptor_address.length, num);
+  gssapi_encode_om_uint32 (b->acceptor_address.length, num);
   MD5_Update (&md5, num, sizeof(num));
   if (b->acceptor_address.length)
     MD5_Update (&md5,
 		b->acceptor_address.value,
 		b->acceptor_address.length);
-  encode_om_uint32 (b->application_data.length, num);
+  gssapi_encode_om_uint32 (b->application_data.length, num);
   MD5_Update (&md5, num, sizeof(num));
   if (b->application_data.length)
     MD5_Update (&md5,
@@ -117,7 +134,7 @@ gssapi_krb5_create_8003_checksum (
     }
   
     p = result->checksum.data;
-    encode_om_uint32 (16, p);
+    gssapi_encode_om_uint32 (16, p);
     p += 4;
     if (input_chan_bindings == GSS_C_NO_CHANNEL_BINDINGS) {
 	memset (p, 0, 16);
@@ -125,7 +142,7 @@ gssapi_krb5_create_8003_checksum (
 	hash_input_chan_bindings (input_chan_bindings, p);
     }
     p += 16;
-    encode_om_uint32 (flags, p);
+    gssapi_encode_om_uint32 (flags, p);
     p += 4;
 
     if (fwd_data->length > 0 && (flags & GSS_C_DELEG_FLAG)) {
@@ -178,7 +195,7 @@ gssapi_krb5_verify_8003_checksum(
     }
     
     p = cksum->checksum.data;
-    decode_om_uint32(p, &length);
+    gssapi_decode_om_uint32(p, &length);
     if(length != sizeof(hash)) {
 	*minor_status = 0;
 	return GSS_S_BAD_BINDINGS;
@@ -200,7 +217,7 @@ gssapi_krb5_verify_8003_checksum(
     
     p += sizeof(hash);
     
-    decode_om_uint32(p, flags);
+    gssapi_decode_om_uint32(p, flags);
     p += 4;
 
     if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
diff --git a/kerberosV/src/lib/gssapi/ChangeLog b/kerberosV/src/lib/gssapi/ChangeLog
index d08f72b5f4f..b18bde67ead 100644
--- a/kerberosV/src/lib/gssapi/ChangeLog
+++ b/kerberosV/src/lib/gssapi/ChangeLog
@@ -1,3 +1,72 @@
+2003-12-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* accept_sec_context.c: 1.40->1.41: Don't require timestamp to be
+	set on delegated token, its already protected by the outer token
+	(and windows doesn't alway send it) Pointed out by Zi-Bin Yang
+	<zbyang@decru.com> on heimdal-discuss
+
+2003-10-21  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* add_cred.c: 1.3->1.4: If its a MEMORY cc, make a copy. We need
+	to do this since now gss_release_cred will destroy the cred. This
+	should be really be solved a better way.
+	
+2003-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* release_cred.c: 1.9->1.10:
+	(gss_release_cred): if its a mcc, destroy it rather the just release it
+	Found by: "Zi-Bin Yang" <zbyang@decru.com>
+	
+2003-09-19  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* arcfour.c: 1.13->1.14: remove depenency on gss_arcfour_mic_token
+	and gss_arcfour_warp_token
+	
+	* arcfour.h: 1.3->1.4: remove depenency on gss_arcfour_mic_token
+	and gss_arcfour_warp_token
+
+	* arcfour.c: make build
+	
+	* get_mic.c, verify_mic.c, unwrap.c, wrap.c:
+	glue in arcfour support
+
+	* gssapi_locl.h: 1.32->1.33: add _gssapi_verify_pad
+	
+2003-09-18  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* encapsulate.c: add _gssapi_make_mech_header
+	
+	* gssapi_locl.h: add "arcfour.h" and prototype for
+	_gssapi_make_mech_header
+
+	* gssapi_locl.h: add gssapi_{en,de}code_{be_,}om_uint32
+	
+	* 8003.c: 1.12->1.13: export and rename
+	encode_om_uint32/decode_om_uint32 and start to use them
+	
+2003-08-16  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* verify_mic.c: 1.21->1.22: make sure minor_status is always set,
+	pointed out by Luke Howard <lukeh@PADL.COM>
+	
+2003-08-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* context_time.c: 1.7->1.10: return time in seconds from now
+	
+	* gssapi_locl.h: add gssapi_lifetime_left
+	
+	* init_sec_context.c: part of 1.37->1.38: (init_auth): if the cred
+	is expired before we tries to create a token, fail so the peer
+	doesn't need reject us
+	(*): make sure time is returned in seconds from now, not in
+	kerberos time
+
+	* acquire_cred.c: 1.14->1.15: (gss_aquire_cred): make sure time is
+	returned in seconds from now, not in kerberos time
+	
+	* accept_sec_context.c: 1.34->1.35: (gss_accept_sec_context): make
+	sure time is returned in seconds from now, not in kerberos time
+	
 2003-05-07  Love Hörnquist Åstrand  <lha@it.su.se>
 
 	* gssapi.h: 1.27->1.28:
diff --git a/kerberosV/src/lib/gssapi/accept_sec_context.c b/kerberosV/src/lib/gssapi/accept_sec_context.c
index 3b04cd2c2e6..a1d31f38d1c 100644
--- a/kerberosV/src/lib/gssapi/accept_sec_context.c
+++ b/kerberosV/src/lib/gssapi/accept_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: accept_sec_context.c,v 1.33 2003/03/16 17:41:12 lha Exp $");
+RCSID("$KTH: accept_sec_context.c,v 1.33.2.2 2003/12/19 00:37:06 lha Exp $");
 
 krb5_keytab gssapi_krb5_keytab;
 
@@ -291,8 +291,8 @@ gss_accept_sec_context
     }
 
     if (fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
-      
 	krb5_ccache ccache;
+	int32_t ac_flags;
       
 	if (delegated_cred_handle == NULL)
 	    /* XXX Create a new delegated_cred_handle? */
@@ -346,10 +346,19 @@ gss_accept_sec_context
 	    goto end_fwd;
 	}
       
+	krb5_auth_con_getflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       &ac_flags);
+	krb5_auth_con_setflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       ac_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
 	kret = krb5_rd_cred2(gssapi_krb5_context,
 			     (*context_handle)->auth_context,
 			     ccache,
 			     &fwd_data);
+	krb5_auth_con_setflags(gssapi_krb5_context,
+			       (*context_handle)->auth_context,
+			       ac_flags);
 	if (kret) {
 	    flags &= ~GSS_C_DELEG_FLAG;
 	    goto end_fwd;
@@ -371,8 +380,13 @@ gss_accept_sec_context
     if (mech_type)
 	*mech_type = GSS_KRB5_MECHANISM;
 
-    if (time_rec)
-	*time_rec = (*context_handle)->lifetime;
+    if (time_rec) {
+	ret = gssapi_lifetime_left(minor_status,
+				   (*context_handle)->lifetime,
+				   time_rec);
+	if (ret)
+	    goto failure;
+    }
 
     if(flags & GSS_C_MUTUAL_FLAG) {
 	krb5_data outbuf;
diff --git a/kerberosV/src/lib/gssapi/acquire_cred.c b/kerberosV/src/lib/gssapi/acquire_cred.c
index f45e8bcb782..59a876f31d2 100644
--- a/kerberosV/src/lib/gssapi/acquire_cred.c
+++ b/kerberosV/src/lib/gssapi/acquire_cred.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: acquire_cred.c,v 1.13 2003/04/06 00:31:55 lha Exp $");
+RCSID("$KTH: acquire_cred.c,v 1.13.2.1 2003/08/15 14:18:24 lha Exp $");
 
 static krb5_error_code
 get_keytab(krb5_keytab *keytab)
@@ -295,8 +295,14 @@ OM_uint32 gss_acquire_cred
 	return (ret);
     } 
     *minor_status = 0;
-    if (time_rec)
-	*time_rec = handle->lifetime;
+    if (time_rec) {
+	ret = gssapi_lifetime_left(minor_status,
+				   handle->lifetime,
+				   time_rec);
+
+	if (ret)
+	    return ret;
+    }
     handle->usage = cred_usage;
     *output_cred_handle = handle;
     return (GSS_S_COMPLETE);
diff --git a/kerberosV/src/lib/gssapi/add_cred.c b/kerberosV/src/lib/gssapi/add_cred.c
index 930aa72f405..f360948d2e1 100644
--- a/kerberosV/src/lib/gssapi/add_cred.c
+++ b/kerberosV/src/lib/gssapi/add_cred.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: add_cred.c,v 1.2 2003/04/06 00:29:17 lha Exp $");
+RCSID("$KTH: add_cred.c,v 1.2.2.1 2003/10/21 21:00:47 lha Exp $");
 
 OM_uint32 gss_add_cred (
      OM_uint32           *minor_status,
@@ -152,25 +152,43 @@ OM_uint32 gss_add_cred (
 		goto failure;
 	    }
 
-	    name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache);
-	    if (name == NULL) {
-		*minor_status = ENOMEM;
-		goto failure;
-	    }
-
-	    asprintf(&type_name, "%s:%s", type, name);
-	    if (type_name == NULL) {
-		*minor_status = ENOMEM;
-		goto failure;
+	    if (strcmp(type, "MEMORY") == 0) {
+		ret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
+				      &handle->ccache);
+		if (ret) {
+		    *minor_status = ret;
+		    goto failure;
+		}
+
+		ret = krb5_cc_copy_cache(gssapi_krb5_context, cred->ccache,
+					 handle->ccache);
+		if (ret) {
+		    *minor_status = ret;
+		    goto failure;
+		}
+
+	    } else {
+
+		name = krb5_cc_get_name(gssapi_krb5_context, cred->ccache);
+		if (name == NULL) {
+		    *minor_status = ENOMEM;
+		    goto failure;
+		}
+		
+		asprintf(&type_name, "%s:%s", type, name);
+		if (type_name == NULL) {
+		    *minor_status = ENOMEM;
+		    goto failure;
+		}
+		
+		kret = krb5_cc_resolve(gssapi_krb5_context, type_name,
+				       &handle->ccache);
+		free(type_name);
+		if (kret) {
+		    *minor_status = kret;
+		    goto failure;
+		}	    
 	    }
-
-	    kret = krb5_cc_resolve(gssapi_krb5_context, type_name,
-				   &handle->ccache);
-	    free(type_name);
-	    if (kret) {
-		*minor_status = kret;
-		goto failure;
-	    }	    
 	}
 
 	ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
diff --git a/kerberosV/src/lib/gssapi/arcfour.c b/kerberosV/src/lib/gssapi/arcfour.c
new file mode 100644
index 00000000000..cfe59267521
--- /dev/null
+++ b/kerberosV/src/lib/gssapi/arcfour.c
@@ -0,0 +1,623 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include "gssapi_locl.h"
+
+/*
+ * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
+ */
+
+RCSID("$KTH: arcfour.c,v 1.12.2.3 2003/09/19 15:15:11 lha Exp $");
+
+static krb5_error_code
+arcfour_mic_key(krb5_context context, krb5_keyblock *key,
+		void *cksum_data, size_t cksum_size,
+		void *key6_data, size_t key6_size)
+{
+    krb5_error_code ret;
+    
+    Checksum cksum_k5;
+    krb5_keyblock key5;
+    char k5_data[16];
+    
+    Checksum cksum_k6;
+    
+    char T[4];
+
+    memset(T, 0, 4);
+    cksum_k5.checksum.data = k5_data;
+    cksum_k5.checksum.length = sizeof(k5_data);
+
+    if (key->keytype == KEYTYPE_ARCFOUR_56) {
+	char L40[14] = "fortybits";
+
+	memcpy(L40 + 10, T, sizeof(T));
+	ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
+			L40, 14, 0, key, &cksum_k5);
+	memset(&k5_data[7], 0xAB, 9);
+    } else {
+	ret = krb5_hmac(context, CKSUMTYPE_RSA_MD5,
+			T, 4, 0, key, &cksum_k5);
+    }
+    if (ret)
+	return ret;
+
+    key5.keytype = KEYTYPE_ARCFOUR;
+    key5.keyvalue = cksum_k5.checksum;
+
+    cksum_k6.checksum.data = key6_data;
+    cksum_k6.checksum.length = key6_size;
+
+    return krb5_hmac(context, CKSUMTYPE_RSA_MD5,
+		     cksum_data, cksum_size, 0, &key5, &cksum_k6);
+}
+
+
+static krb5_error_code
+arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
+		  u_char *sgn_cksum, size_t sgn_cksum_sz,
+		  const char *v1, size_t l1,
+		  const void *v2, size_t l2,
+		  const void *v3, size_t l3)
+{
+    Checksum CKSUM;
+    u_char *ptr;
+    size_t len;
+    krb5_crypto crypto;
+    krb5_error_code ret;
+    
+    assert(sgn_cksum_sz == 8);
+
+    len = l1 + l2 + l3;
+
+    ptr = malloc(len);
+    if (ptr == NULL)
+	return ENOMEM;
+
+    memcpy(ptr, v1, l1);
+    memcpy(ptr + l1, v2, l2);
+    memcpy(ptr + l1 + l2, v3, l3);
+    
+    ret = krb5_crypto_init(gssapi_krb5_context, key, 0, &crypto);
+    if (ret) {
+	free(ptr);
+	return ret;
+    }
+    
+    ret = krb5_create_checksum(gssapi_krb5_context,
+			       crypto,
+			       usage,
+			       0,
+			       ptr, len,
+			       &CKSUM);
+    free(ptr);
+    if (ret == 0) {
+	memcpy(sgn_cksum, CKSUM.checksum.data, sgn_cksum_sz);
+	free_Checksum(&CKSUM);
+    }
+    krb5_crypto_destroy(gssapi_krb5_context, crypto);
+
+    return ret;
+}
+
+
+OM_uint32
+_gssapi_get_mic_arcfour(OM_uint32 * minor_status,
+			const gss_ctx_id_t context_handle,
+			gss_qop_t qop_req,
+			const gss_buffer_t message_buffer,
+			gss_buffer_t message_token,
+			krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    int32_t seq_number;
+    size_t len, total_len;
+    u_char k6_data[16], *p0, *p;
+    RC4_KEY rc4_key;
+    
+    gssapi_krb5_encap_length (22, &len, &total_len);
+    
+    message_token->length = total_len;
+    message_token->value  = malloc (total_len);
+    if (message_token->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    
+    p0 = _gssapi_make_mech_header(message_token->value,
+				  len);
+    p = p0;
+    
+    *p++ = 0x01; /* TOK_ID */
+    *p++ = 0x01;
+    *p++ = 0x11; /* SGN_ALG */
+    *p++ = 0x00;
+    *p++ = 0xff; /* Filler */
+    *p++ = 0xff;
+    *p++ = 0xff;
+    *p++ = 0xff;
+
+    p = NULL;
+
+    ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
+			    p0 + 16, 8,  /* SGN_CKSUM */
+			    p0, 8, /* TOK_ID, SGN_ALG, Filer */
+			    message_buffer->value, message_buffer->length,
+			    NULL, 0);
+    if (ret) {
+	gss_release_buffer(minor_status, message_token);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = arcfour_mic_key(gssapi_krb5_context, key,
+			  p0 + 16, 8, /* SGN_CKSUM */
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	gss_release_buffer(minor_status, message_token);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
+				     context_handle->auth_context,
+				     &seq_number);
+    p = p0 + 8; /* SND_SEQ */
+    gssapi_encode_be_om_uint32(seq_number, p);
+    
+    krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
+				     context_handle->auth_context,
+				     ++seq_number);
+    
+    memset (p + 4, (context_handle->more_flags & LOCAL) ? 0 : 0xff, 4);
+
+    RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+    RC4 (&rc4_key, 8, p, p);
+	
+    memset(&rc4_key, 0, sizeof(rc4_key));
+    memset(k6_data, 0, sizeof(k6_data));
+    
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+
+OM_uint32
+_gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+			   const gss_ctx_id_t context_handle,
+			   const gss_buffer_t message_buffer,
+			   const gss_buffer_t token_buffer,
+			   gss_qop_t * qop_state,
+			   krb5_keyblock *key,
+			   char *type)
+{
+    krb5_error_code ret;
+    int32_t seq_number, seq_number2;
+    OM_uint32 omret;
+    char cksum_data[8], k6_data[16], SND_SEQ[8];
+    u_char *p;
+    int cmp;
+    
+    if (qop_state)
+	*qop_state = 0;
+
+    p = token_buffer->value;
+    omret = gssapi_krb5_verify_header (&p,
+				       token_buffer->length,
+				       type);
+    if (omret)
+	return omret;
+    
+    if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
+	return GSS_S_BAD_SIG;
+    p += 2;
+    if (memcmp (p, "\xff\xff\xff\xff", 4) != 0)
+	return GSS_S_BAD_MIC;
+    p += 4;
+
+    ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SIGN,
+			    cksum_data, sizeof(cksum_data),
+			    p - 8, 8,
+			    message_buffer->value, message_buffer->length,
+			    NULL, 0);
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    ret = arcfour_mic_key(gssapi_krb5_context, key,
+			  cksum_data, sizeof(cksum_data),
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    cmp = memcmp(cksum_data, p + 8, 8);
+    if (cmp) {
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+
+    {
+	RC4_KEY rc4_key;
+	
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	RC4 (&rc4_key, 8, p, SND_SEQ);
+	
+	memset(&rc4_key, 0, sizeof(rc4_key));
+	memset(k6_data, 0, sizeof(k6_data));
+    }
+
+    gssapi_decode_be_om_uint32(SND_SEQ, &seq_number);
+
+    if (context_handle->more_flags & LOCAL)
+	cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+    else
+	cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+
+    memset(SND_SEQ, 0, sizeof(SND_SEQ));
+    if (cmp != 0) {
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+    
+    krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
+				      context_handle->auth_context,
+				      &seq_number2);
+
+    if (seq_number != seq_number2) {
+	*minor_status = 0;
+	return GSS_S_UNSEQ_TOKEN;
+    }
+
+    krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
+				      context_handle->auth_context,
+				      ++seq_number2);
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+_gssapi_wrap_arcfour(OM_uint32 * minor_status,
+		     const gss_ctx_id_t context_handle,
+		     int conf_req_flag,
+		     gss_qop_t qop_req,
+		     const gss_buffer_t input_message_buffer,
+		     int * conf_state,
+		     gss_buffer_t output_message_buffer,
+		     krb5_keyblock *key)
+{
+    u_char Klocaldata[16], k6_data[16], *p, *p0;
+    size_t len, total_len, datalen;
+    krb5_keyblock Klocal;
+    krb5_error_code ret;
+    int32_t seq_number;
+
+    if (conf_state)
+	*conf_state = 0;
+
+    datalen = input_message_buffer->length + 1 /* padding */;
+    len = datalen + 30;
+    gssapi_krb5_encap_length (len, &len, &total_len);
+
+    output_message_buffer->length = total_len;
+    output_message_buffer->value  = malloc (total_len);
+    if (output_message_buffer->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    
+    p0 = _gssapi_make_mech_header(output_message_buffer->value,
+				  len);
+    p = p0;
+
+    *p++ = 0x02; /* TOK_ID */
+    *p++ = 0x01;
+    *p++ = 0x11; /* SGN_ALG */
+    *p++ = 0x00;
+    if (conf_req_flag) {
+	*p++ = 0x10; /* SEAL_ALG */
+	*p++ = 0x00;
+    } else {
+	*p++ = 0xff; /* SEAL_ALG */
+	*p++ = 0xff;
+    }
+    *p++ = 0xff; /* Filler */
+    *p++ = 0xff;
+
+    p = NULL;
+
+    krb5_auth_con_getlocalseqnumber (gssapi_krb5_context,
+				     context_handle->auth_context,
+				     &seq_number);
+
+    gssapi_encode_be_om_uint32(seq_number, p0 + 8);
+
+    krb5_auth_con_setlocalseqnumber (gssapi_krb5_context,
+				     context_handle->auth_context,
+				     ++seq_number);
+
+    memset (p0 + 8 + 4,
+	    (context_handle->more_flags & LOCAL) ? 0 : 0xff,
+	    4);
+
+    krb5_generate_random_block(p0 + 24, 8); /* fill in Confounder */
+    
+    /* p points to data */
+    p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+    memcpy(p, input_message_buffer->value, input_message_buffer->length);
+    p[input_message_buffer->length] = 1; /* PADDING */
+
+    ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
+			    p0 + 16, 8, /* SGN_CKSUM */ 
+			    p0, 8, /* TOK_ID, SGN_ALG, SEAL_ALG, Filler */
+			    p0 + 24, 8, /* Confounder */
+			    p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE, 
+			    datalen);
+    if (ret) {
+	*minor_status = ret;
+	gss_release_buffer(minor_status, output_message_buffer);
+	return GSS_S_FAILURE;
+    }
+
+    {
+	int i;
+
+	Klocal.keytype = key->keytype;
+	Klocal.keyvalue.data = Klocaldata;
+	Klocal.keyvalue.length = sizeof(Klocaldata);
+
+	for (i = 0; i < 16; i++)
+	    Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
+    }
+    ret = arcfour_mic_key(gssapi_krb5_context, &Klocal,
+			  p0 + 8, 4, /* SND_SEQ */
+			  k6_data, sizeof(k6_data));
+    memset(Klocaldata, 0, sizeof(Klocaldata));
+    if (ret) {
+	gss_release_buffer(minor_status, output_message_buffer);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+
+    if(conf_req_flag) {
+	RC4_KEY rc4_key;
+
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	/* XXX ? */
+	RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */
+	memset(&rc4_key, 0, sizeof(rc4_key));
+    }
+    memset(k6_data, 0, sizeof(k6_data));
+
+    ret = arcfour_mic_key(gssapi_krb5_context, key,
+			  p0 + 16, 8, /* SGN_CKSUM */
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	gss_release_buffer(minor_status, output_message_buffer);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	RC4_KEY rc4_key;
+	
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	RC4 (&rc4_key, 8, p0 + 8, p0 + 8); /* SND_SEQ */
+	memset(&rc4_key, 0, sizeof(rc4_key));
+	memset(k6_data, 0, sizeof(k6_data));
+    }
+
+    if (conf_state)
+	*conf_state = conf_req_flag;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+				 const gss_ctx_id_t context_handle,
+				 const gss_buffer_t input_message_buffer,
+				 gss_buffer_t output_message_buffer,
+				 int *conf_state,
+				 gss_qop_t *qop_state,
+				 krb5_keyblock *key)
+{
+    u_char Klocaldata[16];
+    krb5_keyblock Klocal;
+    krb5_error_code ret;
+    int32_t seq_number, seq_number2;
+    size_t datalen;
+    OM_uint32 omret;
+    char k6_data[16], SND_SEQ[8], Confounder[8];
+    char cksum_data[8];
+    u_char *p, *p0;
+    int cmp;
+    int conf_flag;
+    size_t padlen;
+    
+    if (conf_state)
+	*conf_state = 0;
+    if (qop_state)
+	*qop_state = 0;
+
+    p0 = input_message_buffer->value;
+    omret = _gssapi_verify_mech_header(&p0,
+				       input_message_buffer->length);
+    if (omret)
+	return omret;
+    p = p0;
+
+    datalen = input_message_buffer->length -
+	(p - ((u_char *)input_message_buffer->value)) - 
+	GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+
+    if (memcmp(p, "\x02\x01", 2) != 0)
+	return GSS_S_BAD_SIG;
+    p += 2;
+    if (memcmp(p, "\x11\x00", 2) != 0) /* SGN_ALG = HMAC MD5 ARCFOUR */
+	return GSS_S_BAD_SIG;
+    p += 2;
+
+    if (memcmp (p, "\x10\x00", 2) == 0)
+	conf_flag = 1;
+    else if (memcmp (p, "\xff\xff", 2) == 0)
+	conf_flag = 0;
+    else
+	return GSS_S_BAD_SIG;
+
+    p += 2;
+    if (memcmp (p, "\xff\xff", 2) != 0)
+	return GSS_S_BAD_MIC;
+    p = NULL;
+
+    ret = arcfour_mic_key(gssapi_krb5_context, key,
+			  p0 + 16, 8, /* SGN_CKSUM */
+			  k6_data, sizeof(k6_data));
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    {
+	RC4_KEY rc4_key;
+	
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	RC4 (&rc4_key, 8, p0 + 8, SND_SEQ); /* SND_SEQ */
+	memset(&rc4_key, 0, sizeof(rc4_key));
+	memset(k6_data, 0, sizeof(k6_data));
+    }
+
+    gssapi_decode_be_om_uint32(SND_SEQ, &seq_number);
+
+    if (context_handle->more_flags & LOCAL)
+	cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+    else
+	cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+
+    if (cmp != 0) {
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+
+    {
+	int i;
+
+	Klocal.keytype = key->keytype;
+	Klocal.keyvalue.data = Klocaldata;
+	Klocal.keyvalue.length = sizeof(Klocaldata);
+
+	for (i = 0; i < 16; i++)
+	    Klocaldata[i] = ((u_char *)key->keyvalue.data)[i] ^ 0xF0;
+    }
+    ret = arcfour_mic_key(gssapi_krb5_context, &Klocal,
+			  SND_SEQ, 4,
+			  k6_data, sizeof(k6_data));
+    memset(Klocaldata, 0, sizeof(Klocaldata));
+    if (ret) {
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    output_message_buffer->value = malloc(datalen);
+    if (output_message_buffer->value == NULL) {
+	*minor_status = ENOMEM;
+	return GSS_S_FAILURE;
+    }
+    output_message_buffer->length = datalen;
+
+    if(conf_flag) {
+	RC4_KEY rc4_key;
+
+	RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+	RC4 (&rc4_key, 8, p0 + 24, Confounder); /* Confounder */
+	RC4 (&rc4_key, datalen, p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
+	     output_message_buffer->value);
+	memset(&rc4_key, 0, sizeof(rc4_key));
+    } else {
+	memcpy(Confounder, p0 + 24, 8); /* Confounder */
+	memcpy(output_message_buffer->value, 
+	       p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE,
+	       datalen);
+    }
+    memset(k6_data, 0, sizeof(k6_data));
+
+    ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
+    if (ret) {
+	gss_release_buffer(minor_status, output_message_buffer);
+	*minor_status = 0;
+	return ret;
+    }
+    output_message_buffer->length -= padlen;
+
+    ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
+			    cksum_data, sizeof(cksum_data),
+			    p0, 8, 
+			    Confounder, sizeof(Confounder),
+			    output_message_buffer->value, 
+			    output_message_buffer->length + padlen);
+    if (ret) {
+	gss_release_buffer(minor_status, output_message_buffer);
+	*minor_status = ret;
+	return GSS_S_FAILURE;
+    }
+
+    cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
+    if (cmp) {
+	gss_release_buffer(minor_status, output_message_buffer);
+	*minor_status = 0;
+	return GSS_S_BAD_MIC;
+    }
+
+    krb5_auth_getremoteseqnumber (gssapi_krb5_context,
+				  context_handle->auth_context,
+				  &seq_number2);
+
+    if (seq_number != seq_number2) {
+	*minor_status = 0;
+	return GSS_S_UNSEQ_TOKEN;
+    }
+
+    krb5_auth_con_setremoteseqnumber (gssapi_krb5_context,
+				      context_handle->auth_context,
+				      ++seq_number2);
+
+    if (conf_state)
+	*conf_state = conf_flag;
+
+    *minor_status = 0;
+    return GSS_S_COMPLETE;
+}
diff --git a/kerberosV/src/lib/gssapi/arcfour.h b/kerberosV/src/lib/gssapi/arcfour.h
new file mode 100644
index 00000000000..17e047ad29f
--- /dev/null
+++ b/kerberosV/src/lib/gssapi/arcfour.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+/* $KTH: arcfour.h,v 1.3.2.2 2003/09/19 15:14:14 lha Exp $ */
+
+#ifndef GSSAPI_ARCFOUR_H_
+#define GSSAPI_ARCFOUR_H_ 1
+
+/*
+ * The arcfour message have the following formats, these are only here
+ * for reference and is not used.
+ */
+
+#if 0
+typedef struct gss_arcfour_mic_token {
+    u_char TOK_ID[2]; /* 01 01 */
+    u_char SGN_ALG[2]; /* 11 00 */
+    u_char Filler[4];
+    u_char SND_SEQ[8];
+    u_char SGN_CKSUM[8];
+} gss_arcfour_mic_token_desc, *gss_arcfour_mic_token;
+
+typedef struct gss_arcfour_wrap_token {
+    u_char TOK_ID[2]; /* 02 01 */
+    u_char SGN_ALG[2];
+    u_char SEAL_ALG[2];
+    u_char Filler[2];
+    u_char SND_SEQ[8];
+    u_char SGN_CKSUM[8];
+    u_char Confounder[8];
+} gss_arcfour_wrap_token_desc, *gss_arcfour_wrap_token;
+#endif
+
+#define GSS_ARCFOUR_WRAP_TOKEN_SIZE 32
+
+OM_uint32 _gssapi_wrap_arcfour(OM_uint32 *minor_status,
+			       const gss_ctx_id_t context_handle,
+			       int conf_req_flag,
+			       gss_qop_t qop_req,
+			       const gss_buffer_t input_message_buffer,
+			       int *conf_state,
+			       gss_buffer_t output_message_buffer,
+			       krb5_keyblock *key);
+
+OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+				 const gss_ctx_id_t context_handle,
+				 const gss_buffer_t input_message_buffer,
+				 gss_buffer_t output_message_buffer,
+				 int *conf_state,
+				 gss_qop_t *qop_state,
+				 krb5_keyblock *key);
+
+OM_uint32 _gssapi_get_mic_arcfour(OM_uint32 *minor_status,
+				  const gss_ctx_id_t context_handle,
+				  gss_qop_t qop_req,
+				  const gss_buffer_t message_buffer,
+				  gss_buffer_t message_token,
+				  krb5_keyblock *key);
+
+OM_uint32 _gssapi_verify_mic_arcfour(OM_uint32 *minor_status,
+				     const gss_ctx_id_t context_handle,
+				     const gss_buffer_t message_buffer,
+				     const gss_buffer_t token_buffer,
+				     gss_qop_t *qop_state,
+				     krb5_keyblock *key,
+				     char *type);
+
+#endif /* GSSAPI_ARCFOUR_H_ */
diff --git a/kerberosV/src/lib/gssapi/context_time.c b/kerberosV/src/lib/gssapi/context_time.c
index 6c1abd6de02..78f3d50d0a0 100644
--- a/kerberosV/src/lib/gssapi/context_time.c
+++ b/kerberosV/src/lib/gssapi/context_time.c
@@ -33,7 +33,31 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: context_time.c,v 1.7 2003/03/16 17:48:33 lha Exp $");
+RCSID("$KTH: context_time.c,v 1.7.2.1 2003/08/15 14:25:50 lha Exp $");
+
+OM_uint32
+gssapi_lifetime_left(OM_uint32 *minor_status, 
+		     OM_uint32 lifetime,
+		     OM_uint32 *lifetime_rec)
+{
+    krb5_timestamp timeret;
+    krb5_error_code kret;
+
+    kret = krb5_timeofday(gssapi_krb5_context, &timeret);
+    if (kret) {
+	*minor_status = kret;
+	gssapi_krb5_set_error_string ();
+	return GSS_S_FAILURE;
+    }
+
+    if (lifetime < timeret) 
+	*lifetime_rec = 0;
+    else
+	*lifetime_rec = lifetime - timeret;
+
+    return GSS_S_COMPLETE;
+}
+
 
 OM_uint32 gss_context_time
            (OM_uint32 * minor_status,
@@ -42,26 +66,20 @@ OM_uint32 gss_context_time
            )
 {
     OM_uint32 lifetime;
-    OM_uint32 ret;
-    krb5_error_code kret;
-    krb5_timestamp timeret;
+    OM_uint32 major_status;
 
     GSSAPI_KRB5_INIT ();
 
-    ret = gss_inquire_context(minor_status, context_handle,
-			      NULL, NULL, &lifetime, NULL, NULL, NULL, NULL);
-    if (ret) {
-        return ret;
-    }
+    lifetime = context_handle->lifetime;
 
-    kret = krb5_timeofday(gssapi_krb5_context, &timeret);
-    if (kret) {
-	*minor_status = kret;
-	gssapi_krb5_set_error_string ();
-        return GSS_S_FAILURE;
-    }
+    major_status = gssapi_lifetime_left(minor_status, lifetime, time_rec);
+    if (major_status != GSS_S_COMPLETE)
+	return major_status;
 
-    *time_rec = lifetime - timeret;
     *minor_status = 0;
+
+    if (*time_rec == 0)
+	return GSS_S_CONTEXT_EXPIRED;
+	
     return GSS_S_COMPLETE;
 }
diff --git a/kerberosV/src/lib/gssapi/decapsulate.c b/kerberosV/src/lib/gssapi/decapsulate.c
index dfc44c87ab2..9e0096c4bbb 100644
--- a/kerberosV/src/lib/gssapi/decapsulate.c
+++ b/kerberosV/src/lib/gssapi/decapsulate.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: decapsulate.c,v 1.7 2001/08/23 04:35:54 assar Exp $");
+RCSID("$KTH: decapsulate.c,v 1.7.6.1 2003/09/18 22:00:41 lha Exp $");
 
 OM_uint32
 gssapi_krb5_verify_header(u_char **str,
@@ -73,6 +73,56 @@ gssapi_krb5_verify_header(u_char **str,
     return GSS_S_COMPLETE;
 }
 
+static ssize_t
+gssapi_krb5_get_mech (const u_char *ptr,
+		      size_t total_len,
+		      const u_char **mech_ret)
+{
+    size_t len, len_len, mech_len, foo;
+    const u_char *p = ptr;
+    int e;
+
+    if (total_len < 1)
+	return -1;
+    if (*p++ != 0x60)
+	return -1;
+    e = der_get_length (p, total_len - 1, &len, &len_len);
+    if (e || 1 + len_len + len != total_len)
+	return -1;
+    p += len_len;
+    if (*p++ != 0x06)
+	return -1;
+    e = der_get_length (p, total_len - 1 - len_len - 1,
+			&mech_len, &foo);
+    if (e)
+	return -1;
+    p += foo;
+    *mech_ret = p;
+    return mech_len;
+}
+
+OM_uint32
+_gssapi_verify_mech_header(u_char **str,
+			   size_t total_len)
+{
+    const u_char *p;
+    ssize_t mech_len;
+
+    mech_len = gssapi_krb5_get_mech (*str, total_len, &p);
+    if (mech_len < 0)
+	return GSS_S_DEFECTIVE_TOKEN;
+
+    if (mech_len != GSS_KRB5_MECHANISM->length)
+	return GSS_S_BAD_MECH;
+    if (memcmp(p,
+	       GSS_KRB5_MECHANISM->elements,
+	       GSS_KRB5_MECHANISM->length) != 0)
+	return GSS_S_BAD_MECH;
+    p += mech_len;
+    *str = (char *)p;
+    return GSS_S_COMPLETE;
+}
+
 /*
  * Remove the GSS-API wrapping from `in_token' giving `out_data.
  * Does not copy data, so just free `in_token'.
@@ -103,3 +153,32 @@ gssapi_krb5_decapsulate(
     out_data->data   = p;
     return GSS_S_COMPLETE;
 }
+
+/*
+ * Verify padding of a gss wrapped message and return its length.
+ */
+
+OM_uint32
+_gssapi_verify_pad(gss_buffer_t wrapped_token, 
+		   size_t datalen,
+		   size_t *padlen)
+{
+    u_char *pad;
+    size_t padlength;
+    int i;
+
+    pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
+    padlength = *pad;
+
+    if (padlength > datalen)
+	return GSS_S_BAD_MECH;
+
+    for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+	;
+    if (i != 0)
+	return GSS_S_BAD_MIC;
+
+    *padlen = padlength;
+
+    return 0;
+}
diff --git a/kerberosV/src/lib/gssapi/encapsulate.c b/kerberosV/src/lib/gssapi/encapsulate.c
index cde4d85dca2..5049903d780 100644
--- a/kerberosV/src/lib/gssapi/encapsulate.c
+++ b/kerberosV/src/lib/gssapi/encapsulate.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: encapsulate.c,v 1.6 2001/08/23 04:35:54 assar Exp $");
+RCSID("$KTH: encapsulate.c,v 1.6.6.1 2003/09/18 21:47:44 lha Exp $");
 
 void
 gssapi_krb5_encap_length (size_t data_len,
@@ -72,6 +72,26 @@ gssapi_krb5_make_header (u_char *p,
     return p;
 }
 
+u_char *
+_gssapi_make_mech_header(u_char *p,
+			 size_t len)
+{
+    int e;
+    size_t len_len, foo;
+
+    *p++ = 0x60;
+    len_len = length_len(len);
+    e = der_put_length (p + len_len - 1, len_len, len, &foo);
+    if(e || foo != len_len)
+	abort ();
+    p += len_len;
+    *p++ = 0x06;
+    *p++ = GSS_KRB5_MECHANISM->length;
+    memcpy (p, GSS_KRB5_MECHANISM->elements, GSS_KRB5_MECHANISM->length);
+    p += GSS_KRB5_MECHANISM->length;
+    return p;
+}
+
 /*
  * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
  */
diff --git a/kerberosV/src/lib/gssapi/get_mic.c b/kerberosV/src/lib/gssapi/get_mic.c
index 6638448467d..7e9ad08dceb 100644
--- a/kerberosV/src/lib/gssapi/get_mic.c
+++ b/kerberosV/src/lib/gssapi/get_mic.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: get_mic.c,v 1.21 2003/03/16 18:02:04 lha Exp $");
+RCSID("$KTH: get_mic.c,v 1.21.2.1 2003/09/18 22:05:12 lha Exp $");
 
 static OM_uint32
 mic_des
@@ -281,6 +281,10 @@ OM_uint32 gss_get_mic
       ret = mic_des3 (minor_status, context_handle, qop_req,
 		      message_buffer, message_token, key);
       break;
+  case KEYTYPE_ARCFOUR:
+      ret = _gssapi_get_mic_arcfour (minor_status, context_handle, qop_req,
+				     message_buffer, message_token, key);
+      break;
   default :
       *minor_status = KRB5_PROG_ETYPE_NOSUPP;
       ret = GSS_S_FAILURE;
diff --git a/kerberosV/src/lib/gssapi/gss_acquire_cred.cat3 b/kerberosV/src/lib/gssapi/gss_acquire_cred.cat3
new file mode 100644
index 00000000000..37f2c744551
--- /dev/null
+++ b/kerberosV/src/lib/gssapi/gss_acquire_cred.cat3
@@ -0,0 +1,275 @@
+
+GSS_ACQUIRE_CRED(3)        UNIX Programmer's Manual        GSS_ACQUIRE_CRED(3)
+
+NNAAMMEE
+     ggssss__aacccceepptt__sseecc__ccoonntteexxtt, ggssss__aaccqquuiirree__ccrreedd, ggssss__aadddd__ccrreedd,
+     ggssss__aadddd__ooiidd__sseett__mmeemmbbeerr, ggssss__ccaannoonniiccaalliizzee__nnaammee, ggssss__ccoommppaarree__nnaammee,
+     ggssss__ccoonntteexxtt__ttiimmee, ggssss__ccrreeaattee__eemmppttyy__ooiidd__sseett, ggssss__ddeelleettee__sseecc__ccoonntteexxtt,
+     ggssss__ddiissppllaayy__nnaammee, ggssss__ddiissppllaayy__ssttaattuuss, ggssss__dduupplliiccaattee__nnaammee,
+     ggssss__eexxppoorrtt__nnaammee, ggssss__eexxppoorrtt__sseecc__ccoonntteexxtt, ggssss__ggeett__mmiicc, ggssss__iimmppoorrtt__nnaammee,
+     ggssss__iimmppoorrtt__sseecc__ccoonntteexxtt, ggssss__iinnddiiccaattee__mmeecchhss, ggssss__iinniitt__sseecc__ccoonntteexxtt,
+     ggssss__iinnqquuiirree__ccoonntteexxtt, ggssss__iinnqquuiirree__ccrreedd, ggssss__iinnqquuiirree__ccrreedd__bbyy__mmeecchh,
+     ggssss__iinnqquuiirree__mmeecchhss__ffoorr__nnaammee, ggssss__iinnqquuiirree__nnaammeess__ffoorr__mmeecchh,
+     ggssss__kkrrbb55__ccooppyy__ccccaacchhee, ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc,
+     ggssss__pprroocceessss__ccoonntteexxtt__ttookkeenn, ggssss__rreelleeaassee__bbuuffffeerr, ggssss__rreelleeaassee__ccrreedd,
+     ggssss__rreelleeaassee__nnaammee, ggssss__rreelleeaassee__ooiidd__sseett, ggssss__sseeaall, ggssss__ssiiggnn,
+     ggssss__tteesstt__ooiidd__sseett__mmeemmbbeerr, ggssss__uunnsseeaall, ggssss__uunnwwrraapp, ggssss__vveerriiffyy,
+     ggssss__vveerriiffyy__mmiicc, ggssss__wwrraapp, ggssss__wwrraapp__ssiizzee__lliimmiitt - Generic Security Service
+     Application Program Interface library
+
+LLIIBBRRAARRYY
+     GSS-API library (libgssapi, -lgssapi)
+
+SSYYNNOOPPSSIISS
+     _O_M___u_i_n_t_3_2
+     ggssss__aacccceepptt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _a_c_c_e_p_t_o_r___c_r_e_d___h_a_n_d_l_e,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___t_o_k_e_n___b_u_f_f_e_r,
+             _c_o_n_s_t _g_s_s___c_h_a_n_n_e_l___b_i_n_d_i_n_g_s___t _i_n_p_u_t___c_h_a_n___b_i_n_d_i_n_g_s,
+             _g_s_s___n_a_m_e___t _* _s_r_c___n_a_m_e, _g_s_s___O_I_D _* _m_e_c_h___t_y_p_e,
+             _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n, _O_M___u_i_n_t_3_2 _* _r_e_t___f_l_a_g_s,
+             _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c, _g_s_s___c_r_e_d___i_d___t _* _d_e_l_e_g_a_t_e_d___c_r_e_d___h_a_n_d_l_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__aaccqquuiirree__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _d_e_s_i_r_e_d___n_a_m_e,
+             _O_M___u_i_n_t_3_2 _t_i_m_e___r_e_q, _c_o_n_s_t _g_s_s___O_I_D___s_e_t _d_e_s_i_r_e_d___m_e_c_h_s,
+             _g_s_s___c_r_e_d___u_s_a_g_e___t _c_r_e_d___u_s_a_g_e, _g_s_s___c_r_e_d___i_d___t _* _o_u_t_p_u_t___c_r_e_d___h_a_n_d_l_e,
+             _g_s_s___O_I_D___s_e_t _* _a_c_t_u_a_l___m_e_c_h_s, _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__aadddd__ooiidd__sseett__mmeemmbbeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___O_I_D _m_e_m_b_e_r___o_i_d, _g_s_s___O_I_D___s_e_t _* _o_i_d___s_e_t)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccaannoonniiccaalliizzee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e, _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e,
+             _g_s_s___n_a_m_e___t _* _o_u_t_p_u_t___n_a_m_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccoommppaarree__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _n_a_m_e_1,
+             _c_o_n_s_t _g_s_s___n_a_m_e___t _n_a_m_e_2, _i_n_t _* _n_a_m_e___e_q_u_a_l)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccoonntteexxtt__ttiimmee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ccrreeaattee__eemmppttyy__ooiidd__sseett(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _o_i_d___s_e_t)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ddeelleettee__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ddiissppllaayy__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e,
+             _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r, _g_s_s___O_I_D _* _o_u_t_p_u_t___n_a_m_e___t_y_p_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ddiissppllaayy__ssttaattuuss(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r___s_t_a_t_u_s, _O_M___u_i_n_t_3_2 _s_t_a_t_u_s___v_a_l_u_e,
+             _i_n_t _s_t_a_t_u_s___t_y_p_e, _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e,
+             _O_M___u_i_n_t_3_2 _*_m_e_s_s_a_g_e___c_o_n_t_e_x_t, _g_s_s___b_u_f_f_e_r___t _s_t_a_t_u_s___s_t_r_i_n_g)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__dduupplliiccaattee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _s_r_c___n_a_m_e,
+             _g_s_s___n_a_m_e___t _* _d_e_s_t___n_a_m_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__eexxppoorrtt__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___n_a_m_e___t _i_n_p_u_t___n_a_m_e,
+             _g_s_s___b_u_f_f_e_r___t _e_x_p_o_r_t_e_d___n_a_m_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__eexxppoorrtt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___b_u_f_f_e_r___t _i_n_t_e_r_p_r_o_c_e_s_s___t_o_k_e_n)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ggeett__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _g_s_s___q_o_p___t _q_o_p___r_e_q, _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r,
+             _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___t_o_k_e_n)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iimmppoorrtt__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s_,,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___n_a_m_e___b_u_f_f_e_r,
+             _c_o_n_s_t _g_s_s___O_I_D _i_n_p_u_t___n_a_m_e___t_y_p_e, _g_s_s___n_a_m_e___t _* _o_u_t_p_u_t___n_a_m_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iimmppoorrtt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_t_e_r_p_r_o_c_e_s_s___t_o_k_e_n,
+             _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnddiiccaattee__mmeecchhss(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _m_e_c_h___s_e_t)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinniitt__sseecc__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _i_n_i_t_i_a_t_o_r___c_r_e_d___h_a_n_d_l_e,
+             _g_s_s___c_t_x___i_d___t _* _c_o_n_t_e_x_t___h_a_n_d_l_e, _c_o_n_s_t _g_s_s___n_a_m_e___t _t_a_r_g_e_t___n_a_m_e,
+             _c_o_n_s_t _g_s_s___O_I_D _m_e_c_h___t_y_p_e, _O_M___u_i_n_t_3_2 _r_e_q___f_l_a_g_s, _O_M___u_i_n_t_3_2 _t_i_m_e___r_e_q,
+             _c_o_n_s_t _g_s_s___c_h_a_n_n_e_l___b_i_n_d_i_n_g_s___t _i_n_p_u_t___c_h_a_n___b_i_n_d_i_n_g_s,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___t_o_k_e_n, _g_s_s___O_I_D _* _a_c_t_u_a_l___m_e_c_h___t_y_p_e,
+             _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___t_o_k_e_n, _O_M___u_i_n_t_3_2 _* _r_e_t___f_l_a_g_s,
+             _O_M___u_i_n_t_3_2 _* _t_i_m_e___r_e_c)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__ccoonntteexxtt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _g_s_s___n_a_m_e___t _* _s_r_c___n_a_m_e,
+             _g_s_s___n_a_m_e___t _* _t_a_r_g___n_a_m_e, _O_M___u_i_n_t_3_2 _* _l_i_f_e_t_i_m_e___r_e_c,
+             _g_s_s___O_I_D _* _m_e_c_h___t_y_p_e, _O_M___u_i_n_t_3_2 _* _c_t_x___f_l_a_g_s,
+             _i_n_t _* _l_o_c_a_l_l_y___i_n_i_t_i_a_t_e_d, _i_n_t _* _o_p_e_n___c_o_n_t_e_x_t)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___c_r_e_d___i_d___t _c_r_e_d___h_a_n_d_l_e, _g_s_s___n_a_m_e___t _* _n_a_m_e,
+             _O_M___u_i_n_t_3_2 _* _l_i_f_e_t_i_m_e, _g_s_s___c_r_e_d___u_s_a_g_e___t _* _c_r_e_d___u_s_a_g_e,
+             _g_s_s___O_I_D___s_e_t _* _m_e_c_h_a_n_i_s_m_s)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__ccrreedd__bbyy__mmeecchh()
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__mmeecchhss__ffoorr__nnaammee()
+
+
+     _O_M___u_i_n_t_3_2
+     ggssss__iinnqquuiirree__nnaammeess__ffoorr__mmeecchh()
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__ccooppyy__ccccaacchhee(_O_M___u_i_n_t_3_2 _*_m_i_n_o_r, _g_s_s___c_r_e_d___i_d___t _c_r_e_d,
+             _k_r_b_5___c_c_a_c_h_e _o_u_t)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _i_n_t _o_n_o_f_f)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__pprroocceessss__ccoonntteexxtt__ttookkeenn()
+
+     _O_M___u_i_n_t_3_2
+     ggssss__rreelleeaassee__bbuuffffeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___b_u_f_f_e_r___t _b_u_f_f_e_r)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__rreelleeaassee__ccrreedd(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_r_e_d___i_d___t _* _c_r_e_d___h_a_n_d_l_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__rreelleeaassee__nnaammee(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___n_a_m_e___t _* _i_n_p_u_t___n_a_m_e)
+
+
+     ggssss__rreelleeaassee__ooiidd__sseett(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___O_I_D___s_e_t _* _s_e_t)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__sseeaall(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _i_n_t _c_o_n_f___r_e_q___f_l_a_g, _i_n_t _q_o_p___r_e_q,
+             _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e,
+             _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__ssiiggnn(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _i_n_t _q_o_p___r_e_q, _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r,
+             _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___t_o_k_e_n)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__tteesstt__ooiidd__sseett__mmeemmbbeerr(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___O_I_D _m_e_m_b_e_r,
+             _c_o_n_s_t _g_s_s___O_I_D___s_e_t _s_e_t, _i_n_t _* _p_r_e_s_e_n_t)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__uunnsseeaall(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r,
+             _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e,
+             _i_n_t _* _q_o_p___s_t_a_t_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__uunnwwrraapp(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r,
+             _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e,
+             _g_s_s___q_o_p___t _* _q_o_p___s_t_a_t_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__vveerriiffyy(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r, _g_s_s___b_u_f_f_e_r___t _t_o_k_e_n___b_u_f_f_e_r,
+             _i_n_t _* _q_o_p___s_t_a_t_e)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__vveerriiffyy__mmiicc(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _m_e_s_s_a_g_e___b_u_f_f_e_r,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _t_o_k_e_n___b_u_f_f_e_r, _g_s_s___q_o_p___t _* _q_o_p___s_t_a_t_e)
+
+
+
+     ggssss__wwrraapp(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s, _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e,
+             _i_n_t _c_o_n_f___r_e_q___f_l_a_g, _g_s_s___q_o_p___t _q_o_p___r_e_q,
+             _c_o_n_s_t _g_s_s___b_u_f_f_e_r___t _i_n_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r, _i_n_t _* _c_o_n_f___s_t_a_t_e,
+             _g_s_s___b_u_f_f_e_r___t _o_u_t_p_u_t___m_e_s_s_a_g_e___b_u_f_f_e_r)
+
+     _O_M___u_i_n_t_3_2
+     ggssss__wwrraapp__ssiizzee__lliimmiitt(_O_M___u_i_n_t_3_2 _* _m_i_n_o_r___s_t_a_t_u_s,
+             _c_o_n_s_t _g_s_s___c_t_x___i_d___t _c_o_n_t_e_x_t___h_a_n_d_l_e, _i_n_t _c_o_n_f___r_e_q___f_l_a_g,
+             _g_s_s___q_o_p___t _q_o_p___r_e_q, _O_M___u_i_n_t_3_2 _r_e_q___o_u_t_p_u_t___s_i_z_e,
+             _O_M___u_i_n_t_3_2 _* _m_a_x___i_n_p_u_t___s_i_z_e)
+
+DDEESSCCRRIIPPTTIIOONN
+     Generic Security Service API (GSS-API) version 2, and its C binding, is
+     described in RFC2743 and RFC2744. Version 1 (deprecated) of the C binding
+     is described in RFC1509.
+
+     Heimdals GSS-API implementation supports the following mechanisms
+
+     ++oo   GSS_KRB5_MECHANISM
+
+     GSS-API have generic name types that all mechanism are supposed to imple-
+     ment (if possible)
+
+     ++oo   GSS_C_NT_USER_NAME
+
+     ++oo   GSS_C_NT_MACHINE_UID_NAME
+
+     ++oo   GSS_C_NT_STRING_UID_NAME
+
+     ++oo   GSS_C_NT_HOSTBASED_SERVICE
+
+     ++oo   GSS_C_NT_ANONYMOUS
+
+     ++oo   GSS_C_NT_EXPORT_NAME
+
+     GSS-API implementations that supports Kerberos 5 have some additional
+     name types
+
+     ++oo   GSS_KRB5_NT_PRINCIPAL_NAME
+
+     ++oo   GSS_KRB5_NT_USER_NAME
+
+     ++oo   GSS_KRB5_NT_MACHINE_UID_NAME
+
+     ++oo   GSS_KRB5_NT_STRING_UID_NAME
+
+     ggssss__ddiissppllaayy__nnaammee() takes the gss name in _i_n_p_u_t___n_a_m_e and put a printable
+     form in _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r. _o_u_t_p_u_t___n_a_m_e___b_u_f_f_e_r should be freed when done
+     using ggssss__rreelleeaassee__bbuuffffeerr().  _o_u_t_p_u_t___n_a_m_e___t_y_p_e can either be NULL or a
+     pointer to a gss_OID and will in the later case contain the OID type of
+     the name.  The name should only be used for printing.  Access control
+     should be done with the result of ggssss__eexxppoorrtt__nnaammee().
+
+     ggssss__ssiiggnn(), ggssss__vveerriiffyy(), ggssss__sseeaall(), and ggssss__uunnsseeaall() are part of the
+     GSS-API V1 interface and are obsolete. The functions should not be used
+     for new applications.  They are provided so that version 1 applications
+     can link against the library.
+
+     ggssss__kkrrbb55__ccooppyy__ccccaacchhee() is an extension to the GSS-API API.  The function
+     will extract the krb5 credential that are transfered from the initiator
+     to the acceptor when using token delegation in the Kerberos mechanism.
+     The acceptor receives the delegated token in the last argument to
+     ggssss__aacccceepptt__sseecc__ccoonntteexxtt().
+
+
+     ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc turns on or off the compatibly with older ver-
+     sion of Heimdal using des3 get and verify mic, this is way to programmat-
+     ically set the [gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags
+     (see COMPATIBILITY section in gssapi(3)).  If the CPP symbol
+     GSS_C_KRB5_COMPAT_DES3_MIC is present, ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc exists.
+     ggssss__kkrrbb55__ccoommppaatt__ddeess33__mmiicc will be removed in a later version of the GSS-
+     API library.
+
+SSEEEE AALLSSOO
+     krb5(3),  krb5_ccache(3),  gssapi(3),  kerberos(8)
+
+ HEIMDAL                         April 2, 2003                               5
diff --git a/kerberosV/src/lib/gssapi/gssapi.cat3 b/kerberosV/src/lib/gssapi/gssapi.cat3
new file mode 100644
index 00000000000..5969ecc2bcd
--- /dev/null
+++ b/kerberosV/src/lib/gssapi/gssapi.cat3
@@ -0,0 +1,101 @@
+
+GSSAPI(3)                  UNIX Programmer's Manual                  GSSAPI(3)
+
+NNAAMMEE
+     ggssssaappii - Generic Security Service Application Program Interface library
+
+LLIIBBRRAARRYY
+     GSS-API Library (libgssapi, -lgssapi)
+
+DDEESSCCRRIIPPTTIIOONN
+     The Generic Security Service Application Program Interface (GSS-API) pro-
+     vides security services to callers in a generic fashion, supportable with
+     a range of underlying mechanisms and technologies and hence allowing
+     source-level portability of applications to different environments.
+
+LLIISSTT OOFF FFUUNNCCTTIIOONNSS
+     These functions constitute the gssapi library, _l_i_b_g_s_s_a_p_i. Declarations
+     for these functions may be obtained from the include file _g_s_s_a_p_i_._h.
+
+
+     _N_a_m_e_/_P_a_g_e                   _D_e_s_c_r_i_p_t_i_o_n
+     gss_accept_sec_context.3
+     gss_acquire_cred.3
+     gss_add_cred.3
+     gss_add_oid_set_member.3
+     gss_canonicalize_name.3
+     gss_compare_name.3
+     gss_context_time.3
+     gss_create_empty_oid_set.3
+     gss_delete_sec_context.3
+     gss_display_name.3
+     gss_display_status.3
+     gss_duplicate_name.3
+     gss_export_name.3
+     gss_export_sec_context.3
+     gss_get_mic.3
+     gss_import_name.3
+     gss_import_sec_context.3
+     gss_indicate_mechs.3
+     gss_init_sec_context.3
+     gss_inquire_context.3
+     gss_inquire_cred.3
+     gss_inquire_cred_by_mech.3
+     gss_inquire_mechs_for_name.3
+     gss_inquire_names_for_mech.3
+     gss_krb5_copy_ccache.3
+     gss_process_context_token.3
+     gss_release_buffer.3
+     gss_release_cred.3
+     gss_release_name.3
+     gss_release_oid_set.3
+     gss_seal.3
+     gss_sign.3
+     gss_test_oid_set_member.3
+     gss_unseal.3
+     gss_unwrap.3
+     gss_verify.3
+     gss_verify_mic.3
+     gss_wrap.3
+     gss_wrap_size_limit.3
+
+CCOOMMPPAATTIIBBIILLIITTYY
+     The HHeeiimmddaall GSS-API implementation had a bug in releases before 0.6 that
+     made it fail to inter-operate when using DES3 with other GSS-API imple-
+     mentations when using ggssss__ggeett__mmiicc() / ggssss__vveerriiffyy__mmiicc().  Its possible to
+     modify the behavior of the generator of the MIC with the _k_r_b_5_._c_o_n_f con-
+     figuration file so that old clients/servers will still work.
+
+     New clients/servers will try both the old and new MIC in Heimdal 0.6.  In
+     0.7 it will check only if configured and the compatibility code will be
+     removed in 0.8.
+
+     Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this
+     will change in 0.7 to generate correct des3 mic.
+
+     To turn on compatibility with older clients and servers, change the
+     [[ggssssaappii]] _b_r_o_k_e_n___d_e_s_3___m_i_c in _k_r_b_5_._c_o_n_f that contains a list of globbing
+     expressions that will be matched against the server name.  To turn off
+     generation of the old (incompatible) mic of the MIC use [[ggssssaappii]]
+     _c_o_r_r_e_c_t___d_e_s_3___m_i_c.
+
+     If a match for a entry is in both [[ggssssaappii]] _c_o_r_r_e_c_t___d_e_s_3___m_i_c and [[ggssssaappii]]
+     _c_o_r_r_e_c_t___d_e_s_3___m_i_c, the later will override.
+
+     This config option modifies behaviour for both clients and servers.
+
+     Example:
+
+           [gssapi]
+                   broken_des3_mic = cvs/*@SU.SE
+                   broken_des3_mic = host/*@E.KTH.SE
+                   correct_des3_mic = host/*@SU.SE
+
+BBUUGGSS
+     All of 0.5.x versions of hheeiimmddaall had broken token delegations in the
+     client side, the server side was correct.
+
+SSEEEE AALLSSOO
+     krb5(3),  krb5.conf(5),  kerberos(8)
+
+BSD Experimental               January 23, 2003                              2
diff --git a/kerberosV/src/lib/gssapi/gssapi_locl.h b/kerberosV/src/lib/gssapi/gssapi_locl.h
index 57e6c12e913..b80332a7504 100644
--- a/kerberosV/src/lib/gssapi/gssapi_locl.h
+++ b/kerberosV/src/lib/gssapi/gssapi_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $KTH: gssapi_locl.h,v 1.24 2003/03/16 17:30:15 lha Exp $ */
+/* $KTH: gssapi_locl.h,v 1.24.2.5 2003/09/18 22:01:52 lha Exp $ */
 
 #ifndef GSSAPI_LOCL_H
 #define GSSAPI_LOCL_H
@@ -44,6 +44,8 @@
 #include <gssapi.h>
 #include <assert.h>
 
+#include "arcfour.h"
+
 extern krb5_context gssapi_krb5_context;
 
 extern krb5_keytab gssapi_krb5_keytab;
@@ -81,6 +83,10 @@ gssapi_krb5_encapsulate(
 			gss_buffer_t output_token,
 			u_char *type);
 
+u_char *
+_gssapi_make_mech_header(u_char *p,
+			 size_t len);
+
 OM_uint32
 gssapi_krb5_decapsulate(
 			OM_uint32 *minor_status,
@@ -103,6 +109,14 @@ gssapi_krb5_verify_header(u_char **str,
 			  size_t total_len,
 			  char *type);
 
+
+OM_uint32
+_gssapi_verify_mech_header(u_char **str,
+			   size_t total_len);
+
+OM_uint32
+_gssapi_verify_pad(gss_buffer_t, size_t, size_t *);
+
 OM_uint32
 gss_verify_mic_internal(OM_uint32 * minor_status,
 			const gss_ctx_id_t context_handle,
@@ -145,4 +159,21 @@ gssapi_krb5_get_error_string (void);
 OM_uint32
 _gss_DES3_get_mic_compat(OM_uint32 *minor_status, gss_ctx_id_t ctx);
 
+OM_uint32
+gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *);
+
+/* 8003 */
+
+krb5_error_code
+gssapi_encode_om_uint32(OM_uint32, u_char *);
+
+krb5_error_code
+gssapi_encode_be_om_uint32(OM_uint32, u_char *);
+
+krb5_error_code
+gssapi_decode_om_uint32(u_char *, OM_uint32 *);
+
+krb5_error_code
+gssapi_decode_be_om_uint32(u_char *, OM_uint32 *);
+
 #endif
diff --git a/kerberosV/src/lib/gssapi/init_sec_context.c b/kerberosV/src/lib/gssapi/init_sec_context.c
index 3ea41b5cdd0..2a9c161259b 100644
--- a/kerberosV/src/lib/gssapi/init_sec_context.c
+++ b/kerberosV/src/lib/gssapi/init_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: init_sec_context.c,v 1.36 2003/03/16 18:00:00 lha Exp $");
+RCSID("$KTH: init_sec_context.c,v 1.36.2.1 2003/08/15 14:21:18 lha Exp $");
 
 /*
  * copy the addresses from `input_chan_bindings' (if any) to
@@ -193,6 +193,7 @@ init_auth
     Checksum cksum;
     krb5_enctype enctype;
     krb5_data fwd_data;
+    OM_uint32 lifetime_rec;
 
     krb5_data_zero(&outbuf);
     krb5_data_zero(&fwd_data);
@@ -292,7 +293,7 @@ init_auth
     } else
 	this_cred.times.endtime   = 0;
     this_cred.session.keytype = 0;
-  
+
     kret = krb5_get_credentials (gssapi_krb5_context,
 				 KRB5_TC_MATCH_KEYTYPE,
 				 ccache,
@@ -308,10 +309,23 @@ init_auth
 
     (*context_handle)->lifetime = cred->times.endtime;
 
+    ret = gssapi_lifetime_left(minor_status,
+			       (*context_handle)->lifetime,
+			       &lifetime_rec);
+    if (ret) {
+	goto failure;
+    }
+
+    if (lifetime_rec == 0) {
+	*minor_status = 0;
+	ret = GSS_S_CONTEXT_EXPIRED;
+	goto failure;
+    }
+
     krb5_auth_con_setkey(gssapi_krb5_context, 
 			 (*context_handle)->auth_context, 
 			 &cred->session);
-  
+
     kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, 
 					     (*context_handle)->auth_context,
 					     &cred->session);
@@ -321,13 +335,13 @@ init_auth
 	ret = GSS_S_FAILURE;
 	goto failure;
     }
-
+    
     flags = 0;
     ap_options = 0;
     if (req_flags & GSS_C_DELEG_FLAG)
 	do_delegation ((*context_handle)->auth_context,
 		       ccache, cred, target_name, &fwd_data, &flags);
-       
+    
     if (req_flags & GSS_C_MUTUAL_FLAG) {
 	flags |= GSS_C_MUTUAL_FLAG;
 	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
@@ -413,7 +427,7 @@ init_auth
 	return GSS_S_CONTINUE_NEEDED;
     } else {
 	if (time_rec)
-	    *time_rec = (*context_handle)->lifetime;
+	    *time_rec = lifetime_rec;
 
 	(*context_handle)->more_flags |= OPEN;
 	return GSS_S_COMPLETE;
@@ -479,16 +493,21 @@ repl_mutual
     }
     krb5_free_ap_rep_enc_part (gssapi_krb5_context,
 			       repl);
-
-    (*context_handle)->more_flags |= OPEN;
     
-    if (time_rec)
-	*time_rec = (*context_handle)->lifetime;
+    (*context_handle)->more_flags |= OPEN;
+
+    *minor_status = 0;
+    if (time_rec) {
+	ret = gssapi_lifetime_left(minor_status,
+				   (*context_handle)->lifetime,
+				   time_rec);
+    } else {
+	ret = GSS_S_COMPLETE;
+    }
     if (ret_flags)
 	*ret_flags = (*context_handle)->flags;
 
-    *minor_status = 0;
-    return GSS_S_COMPLETE;
+    return ret;
 }
 
 /*
diff --git a/kerberosV/src/lib/gssapi/release_cred.c b/kerberosV/src/lib/gssapi/release_cred.c
index f4082b740f9..91c08aad10f 100644
--- a/kerberosV/src/lib/gssapi/release_cred.c
+++ b/kerberosV/src/lib/gssapi/release_cred.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: release_cred.c,v 1.8 2003/03/16 17:52:19 lha Exp $");
+RCSID("$KTH: release_cred.c,v 1.8.2.1 2003/10/07 01:08:21 lha Exp $");
 
 OM_uint32 gss_release_cred
            (OM_uint32 * minor_status,
@@ -52,8 +52,14 @@ OM_uint32 gss_release_cred
         krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
     if ((*cred_handle)->keytab != NULL)
 	krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
-    if ((*cred_handle)->ccache != NULL)
-	krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
+    if ((*cred_handle)->ccache != NULL) {
+	const krb5_cc_ops *ops;
+	ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache);
+	if (ops == &krb5_mcc_ops)
+	    krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache);
+	else 
+	    krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);
+    }
     gss_release_oid_set(NULL, &(*cred_handle)->mechanisms);
     free(*cred_handle);
     *cred_handle = GSS_C_NO_CREDENTIAL;
diff --git a/kerberosV/src/lib/gssapi/unwrap.c b/kerberosV/src/lib/gssapi/unwrap.c
index b4789bc9c7e..a3688e0e077 100644
--- a/kerberosV/src/lib/gssapi/unwrap.c
+++ b/kerberosV/src/lib/gssapi/unwrap.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: unwrap.c,v 1.22 2003/03/16 17:54:43 lha Exp $");
+RCSID("$KTH: unwrap.c,v 1.22.2.1 2003/09/18 22:05:22 lha Exp $");
 
 OM_uint32
 gss_krb5_get_remotekey(const gss_ctx_id_t context_handle,
@@ -407,6 +407,11 @@ OM_uint32 gss_unwrap
 			 input_message_buffer, output_message_buffer,
 			 conf_state, qop_state, key);
       break;
+  case KEYTYPE_ARCFOUR:
+      ret = _gssapi_unwrap_arcfour (minor_status, context_handle,
+				    input_message_buffer, output_message_buffer,
+				    conf_state, qop_state, key);
+      break;
   default :
       *minor_status = KRB5_PROG_ETYPE_NOSUPP;
       ret = GSS_S_FAILURE;
diff --git a/kerberosV/src/lib/gssapi/verify_mic.c b/kerberosV/src/lib/gssapi/verify_mic.c
index 83594cbd140..ab821f2e1ec 100644
--- a/kerberosV/src/lib/gssapi/verify_mic.c
+++ b/kerberosV/src/lib/gssapi/verify_mic.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: verify_mic.c,v 1.18.2.2 2003/05/05 18:59:42 lha Exp $");
+RCSID("$KTH: verify_mic.c,v 1.18.2.4 2003/09/18 22:05:34 lha Exp $");
 
 static OM_uint32
 verify_mic_des
@@ -59,10 +59,8 @@ verify_mic_des
   ret = gssapi_krb5_verify_header (&p,
 				   token_buffer->length,
 				   type);
-  if (ret) {
-      *minor_status = 0;
+  if (ret)
       return ret;
-  }
 
   if (memcmp(p, "\x00\x00", 2) != 0)
       return GSS_S_BAD_SIG;
@@ -88,7 +86,6 @@ verify_mic_des
   if (memcmp (p - 8, hash, 8) != 0) {
     memset (deskey, 0, sizeof(deskey));
     memset (schedule, 0, sizeof(schedule));
-    *minor_status = 0;
     return GSS_S_BAD_MIC;
   }
 
@@ -114,7 +111,6 @@ verify_mic_des
   memset (schedule, 0, sizeof(schedule));
 
   if (memcmp (p, seq_data, 8) != 0) {
-    *minor_status = 0;
     return GSS_S_BAD_MIC;
   }
 
@@ -122,7 +118,6 @@ verify_mic_des
 				context_handle->auth_context,
 				++seq_number);
 
-  *minor_status = 0;
   return GSS_S_COMPLETE;
 }
 
@@ -152,10 +147,8 @@ verify_mic_des3
   ret = gssapi_krb5_verify_header (&p,
 				   token_buffer->length,
 				   type);
-  if (ret) {
-      *minor_status = 0;
+  if (ret)
       return ret;
-  }
 
   if (memcmp(p, "\x04\x00", 2) != 0) /* SGN_ALG = HMAC SHA1 DES3-KD */
       return GSS_S_BAD_SIG;
@@ -256,7 +249,6 @@ retry:
 				++seq_number);
 
   krb5_crypto_destroy (gssapi_krb5_context, crypto);
-  *minor_status = 0;
   return GSS_S_COMPLETE;
 }
 
@@ -280,6 +272,7 @@ gss_verify_mic_internal
 	*minor_status = ret;
 	return GSS_S_FAILURE;
     }
+    *minor_status = 0;
     krb5_enctype_to_keytype (gssapi_krb5_context, key->keytype, &keytype);
     switch (keytype) {
     case KEYTYPE_DES :
@@ -292,6 +285,11 @@ gss_verify_mic_internal
 			       message_buffer, token_buffer, qop_state, key,
 			       type);
 	break;
+    case KEYTYPE_ARCFOUR :
+	ret = _gssapi_verify_mic_arcfour (minor_status, context_handle,
+					  message_buffer, token_buffer,
+					  qop_state, key, type);
+	break;
     default :
 	*minor_status = KRB5_PROG_ETYPE_NOSUPP;
 	ret = GSS_S_FAILURE;
diff --git a/kerberosV/src/lib/gssapi/wrap.c b/kerberosV/src/lib/gssapi/wrap.c
index 1d6259b10e6..8c3d0943c59 100644
--- a/kerberosV/src/lib/gssapi/wrap.c
+++ b/kerberosV/src/lib/gssapi/wrap.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$KTH: wrap.c,v 1.21 2003/03/16 17:57:48 lha Exp $");
+RCSID("$KTH: wrap.c,v 1.21.2.1 2003/09/18 22:05:45 lha Exp $");
 
 OM_uint32
 gss_krb5_get_localkey(const gss_ctx_id_t context_handle,
@@ -98,6 +98,7 @@ gss_wrap_size_limit (
 
   switch (keytype) {
   case KEYTYPE_DES :
+  case KEYTYPE_ARCFOUR:
       ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
       break;
   case KEYTYPE_DES3 :
@@ -438,6 +439,11 @@ OM_uint32 gss_wrap
 		       qop_req, input_message_buffer, conf_state,
 		       output_message_buffer, key);
       break;
+  case KEYTYPE_ARCFOUR:
+      ret = _gssapi_wrap_arcfour (minor_status, context_handle, conf_req_flag,
+				  qop_req, input_message_buffer, conf_state,
+				  output_message_buffer, key);
+      break;
   default :
       *minor_status = KRB5_PROG_ETYPE_NOSUPP;
       ret = GSS_S_FAILURE;
diff --git a/kerberosV/src/lib/hdb/db3.c b/kerberosV/src/lib/hdb/db3.c
index ee88026a618..a7c9d959963 100644
--- a/kerberosV/src/lib/hdb/db3.c
+++ b/kerberosV/src/lib/hdb/db3.c
@@ -33,11 +33,17 @@
 
 #include "hdb_locl.h"
 
-RCSID("$KTH: db3.c,v 1.8 2001/08/09 08:41:48 assar Exp $");
+RCSID("$KTH: db3.c,v 1.8.6.1 2003/08/29 16:59:39 lha Exp $");
 
 #if HAVE_DB3
 
+#ifdef HAVE_DB4_DB_H
+#include <db4/db.h>
+#elif defined(HAVE_DB3_DB_H)
+#include <db3/db.h>
+#else
 #include <db.h>
+#endif
 
 static krb5_error_code
 DB_close(krb5_context context, HDB *db)
@@ -87,7 +93,6 @@ static krb5_error_code
 DB_seq(krb5_context context, HDB *db,
        unsigned flags, hdb_entry *entry, int flag)
 {
-    DB *d = (DB*)db->db;
     DBT key, value;
     DBC *dbcp = db->dbc;
     krb5_data key_data, data;
@@ -262,10 +267,18 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     }
     db_create(&d, NULL, 0);
     db->db = d;
+#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0)
+    if ((ret = d->open(db->db, NULL, fn, NULL, DB_BTREE, myflags, mode))) {
+#else
     if ((ret = d->open(db->db, fn, NULL, DB_BTREE, myflags, mode))) {
+#endif
       if(ret == ENOENT)
 	/* try to open without .db extension */
+#if (DB_VERSION_MAJOR > 3) && (DB_VERSION_MINOR > 0)
+	if (d->open(db->db, NULL, db->name, NULL, DB_BTREE, myflags, mode)) {
+#else
 	if (d->open(db->db, db->name, NULL, DB_BTREE, myflags, mode)) {
+#endif
 	  free(fn);
 	  krb5_set_error_string(context, "opening %s: %s",
 				db->name, strerror(ret));
diff --git a/kerberosV/src/lib/kadm5/ChangeLog b/kerberosV/src/lib/kadm5/ChangeLog
index 1879c19960e..51b559bf718 100644
--- a/kerberosV/src/lib/kadm5/ChangeLog
+++ b/kerberosV/src/lib/kadm5/ChangeLog
@@ -1,3 +1,19 @@
+2003-12-30  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* chpass_s.c: from 1.14->1.15:
+	(change): fix same-password-again by decrypting keys and setting
+	an error code. From: Buck Huppmann <buckh@pobox.com>
+	
+2003-12-21  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* init_c.c: 1.47->1.48: (_kadm5_c_init_context): catch errors from
+	strdup and other krb5_ functions
+	
+2003-08-15  Love Hörnquist Åstrand <lha@it.su.se>
+
+	* ipropd_slave.c: 1.27->1.28: (receive_everything): switch close
+	and rename From: Alf Wachsmann <alfw@SLAC.Stanford.EDU>
+	
 2003-04-16  Love Hörnquist Åstrand <lha@it.su.se>
 
 	* send_recv.c: check return values from krb5_data_alloc
diff --git a/kerberosV/src/lib/kadm5/chpass_s.c b/kerberosV/src/lib/kadm5/chpass_s.c
index 95e6429a396..0b30814a08d 100644
--- a/kerberosV/src/lib/kadm5/chpass_s.c
+++ b/kerberosV/src/lib/kadm5/chpass_s.c
@@ -33,7 +33,7 @@
 
 #include "kadm5_locl.h"
 
-RCSID("$KTH: chpass_s.c,v 1.13 2001/01/30 01:24:28 assar Exp $");
+RCSID("$KTH: chpass_s.c,v 1.13.8.1 2003/12/30 15:59:58 lha Exp $");
 
 static kadm5_ret_t
 change(void *server_handle, 
@@ -53,7 +53,7 @@ change(void *server_handle,
     if(ret)
 	return ret;
     ret = context->db->fetch(context->context, context->db, 
-			     0, &ent);
+			     HDB_F_DECRYPT, &ent);
     if(ret == HDB_ERR_NOENTRY)
 	goto out;
 
@@ -73,9 +73,11 @@ change(void *server_handle,
 			       keys, num_keys);
     _kadm5_free_keys (server_handle, num_keys, keys);
 
-    if (cmp == 0)
-	goto out2;
-
+    if (cmp == 0) {
+	krb5_set_error_string(context->context, "Password reuse forbidden");
+	ret = KADM5_PASS_REUSE;
+ 	goto out2;
+    }
     ret = _kadm5_set_modifier(context, &ent);
     if(ret)
 	goto out2;
diff --git a/kerberosV/src/lib/kadm5/truncate_log.c b/kerberosV/src/lib/kadm5/truncate_log.c
index efc33d29190..988bb331b07 100644
--- a/kerberosV/src/lib/kadm5/truncate_log.c
+++ b/kerberosV/src/lib/kadm5/truncate_log.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000, 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "iprop.h"
 
-RCSID("$KTH: truncate_log.c,v 1.1 2000/07/24 04:27:06 assar Exp $");
+RCSID("$KTH: truncate_log.c,v 1.1.8.1 2003/10/14 15:58:46 joda Exp $");
 
 static char *realm;
 static int version_flag;
@@ -83,6 +83,7 @@ main(int argc, char **argv)
     server_context = (kadm5_server_context *)kadm_handle;
 
     ret = kadm5_log_truncate (server_context);
+    if(ret)
 	krb5_err (context, 1, ret, "kadm5_log_truncate");
     return 0;
 }
diff --git a/kerberosV/src/lib/kafs/ChangeLog b/kerberosV/src/lib/kafs/ChangeLog
index 4c125e1e0f7..2f1bb02e7b5 100644
--- a/kerberosV/src/lib/kafs/ChangeLog
+++ b/kerberosV/src/lib/kafs/ChangeLog
@@ -1,3 +1,12 @@
+2004-06-22  Love  <lha@stacken.kth.se>
+
+	* afssys.c: 1.70->1.72: s/arla/nnpfs/
+	
+2004-06-22  Love Hörquist Åstrand  <lha@it.su.se>
+
+	* afssys.c: 1.70: support the linux /proc/fs/mumel/afs_ioctl afs
+	"syscall" interface
+	
 2003-04-23  Love Hörquist Åstrand  <lha@it.su.se>
 
 	* common.c, kafs.h: drop the int argument (the error code) from
diff --git a/kerberosV/src/lib/krb5/changepw.c b/kerberosV/src/lib/krb5/changepw.c
index dd0578918a8..ecc550c531a 100644
--- a/kerberosV/src/lib/krb5/changepw.c
+++ b/kerberosV/src/lib/krb5/changepw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,15 +33,42 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: changepw.c,v 1.38 2002/09/29 11:48:34 joda Exp $");
+RCSID("$KTH: changepw.c,v 1.38.2.1 2004/06/21 08:38:10 lha Exp $");
+
+static void
+str2data (krb5_data *d,
+	  const char *fmt,
+	  ...) __attribute__ ((format (printf, 2, 3)));
+
+static void
+str2data (krb5_data *d,
+	  const char *fmt,
+	  ...)
+{
+    va_list args;
+
+    va_start(args, fmt);
+    d->length = vasprintf ((char **)&d->data, fmt, args);
+    va_end(args);
+}
+
+/*
+ * Change password protocol defined by
+ * draft-ietf-cat-kerb-chg-password-02.txt
+ * 
+ * Share the response part of the protocol with MS set password
+ * (RFC3244)
+ */
 
 static krb5_error_code
-send_request (krb5_context context,
-	      krb5_auth_context *auth_context,
-	      krb5_creds *creds,
-	      int sock,
-	      char *passwd,
-	      const char *host)
+chgpw_send_request (krb5_context context,
+		    krb5_auth_context *auth_context,
+		    krb5_creds *creds,
+		    krb5_principal targprinc,
+		    int is_stream,
+		    int sock,
+		    char *passwd,
+		    const char *host)
 {
     krb5_error_code ret;
     krb5_data ap_req_data;
@@ -53,6 +80,13 @@ send_request (krb5_context context,
     struct iovec iov[3];
     struct msghdr msghdr;
 
+    if (is_stream)
+	return KRB5_KPASSWD_MALFORMED;
+
+    if (targprinc &&
+	krb5_principal_compare(context, creds->client, targprinc) != TRUE)
+	return KRB5_KPASSWD_MALFORMED;
+
     krb5_data_zero (&ap_req_data);
 
     ret = krb5_mk_req_extended (context,
@@ -114,26 +148,120 @@ out2:
     return ret;
 }
 
-static void
-str2data (krb5_data *d,
-	  const char *fmt,
-	  ...) __attribute__ ((format (printf, 2, 3)));
+/*
+ * Set password protocol as defined by RFC3244 --
+ * Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
+ */
 
-static void
-str2data (krb5_data *d,
-	  const char *fmt,
-	  ...)
+static krb5_error_code
+setpw_send_request (krb5_context context,
+		    krb5_auth_context *auth_context,
+		    krb5_creds *creds,
+		    krb5_principal targprinc,
+		    int is_stream,
+		    int sock,
+		    char *passwd,
+		    const char *host)
 {
-    va_list args;
+    krb5_error_code ret;
+    krb5_data ap_req_data;
+    krb5_data krb_priv_data;
+    krb5_data pwd_data;
+    ChangePasswdDataMS chpw;
+    size_t len;
+    u_char header[4 + 6];
+    u_char *p;
+    struct iovec iov[3];
+    struct msghdr msghdr;
 
-    va_start(args, fmt);
-    d->length = vasprintf ((char **)&d->data, fmt, args);
-    va_end(args);
+    krb5_data_zero (&ap_req_data);
+
+    ret = krb5_mk_req_extended (context,
+				auth_context,
+				AP_OPTS_MUTUAL_REQUIRED | AP_OPTS_USE_SUBKEY,
+				NULL, /* in_data */
+				creds,
+				&ap_req_data);
+    if (ret)
+	return ret;
+
+    chpw.newpasswd.length = strlen(passwd);
+    chpw.newpasswd.data = passwd;
+    if (targprinc) {
+	chpw.targname = &targprinc->name;
+	chpw.targrealm = &targprinc->realm;
+    } else {
+	chpw.targname = NULL;
+	chpw.targrealm = NULL;
+    }
+	
+    ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length,
+		       &chpw, &len, ret);
+    if (ret) {
+	krb5_data_free (&ap_req_data);
+	return ret;
+    }
+
+    if(pwd_data.length != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
+    ret = krb5_mk_priv (context,
+			*auth_context,
+			&pwd_data,
+			&krb_priv_data,
+			NULL);
+    if (ret)
+	goto out2;
+
+    len = 6 + ap_req_data.length + krb_priv_data.length;
+    p = header;
+    if (is_stream) {
+	_krb5_put_int(p, len, 4);
+	p += 4;
+    }
+    *p++ = (len >> 8) & 0xFF;
+    *p++ = (len >> 0) & 0xFF;
+    *p++ = 0xff;
+    *p++ = 0x80;
+    *p++ = (ap_req_data.length >> 8) & 0xFF;
+    *p++ = (ap_req_data.length >> 0) & 0xFF;
+
+    memset(&msghdr, 0, sizeof(msghdr));
+    msghdr.msg_name       = NULL;
+    msghdr.msg_namelen    = 0;
+    msghdr.msg_iov        = iov;
+    msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
+#if 0
+    msghdr.msg_control    = NULL;
+    msghdr.msg_controllen = 0;
+#endif
+
+    iov[0].iov_base    = (void*)header;
+    if (is_stream)
+	iov[0].iov_len     = 10;
+    else
+	iov[0].iov_len     = 6;
+    iov[1].iov_base    = ap_req_data.data;
+    iov[1].iov_len     = ap_req_data.length;
+    iov[2].iov_base    = krb_priv_data.data;
+    iov[2].iov_len     = krb_priv_data.length;
+
+    if (sendmsg (sock, &msghdr, 0) < 0) {
+	ret = errno;
+	krb5_set_error_string(context, "sendmsg %s: %s", host, strerror(ret));
+    }
+
+    krb5_data_free (&krb_priv_data);
+out2:
+    krb5_data_free (&ap_req_data);
+    krb5_data_free (&pwd_data);
+    return ret;
 }
 
 static krb5_error_code
 process_reply (krb5_context context,
 	       krb5_auth_context auth_context,
+	       int is_stream,
 	       int sock,
 	       int *result_code,
 	       krb5_data *result_code_string,
@@ -141,30 +269,101 @@ process_reply (krb5_context context,
 	       const char *host)
 {
     krb5_error_code ret;
-    u_char reply[BUFSIZ];
-    size_t len;
+    u_char reply[1024 * 3];
+    ssize_t len;
     u_int16_t pkt_len, pkt_ver;
-    krb5_data ap_rep_data, priv_data;
+    krb5_data ap_rep_data;
     int save_errno;
 
-    ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
-    if (ret < 0) {
-	save_errno = errno;
-	krb5_set_error_string(context, "recvfrom %s: %s",
-			      host, strerror(save_errno));
-	return save_errno;
+    len = 0;
+    if (is_stream) {
+	while (len < sizeof(reply)) {
+	    unsigned long size;
+
+	    ret = recvfrom (sock, reply + len, sizeof(reply) - len, 
+			    0, NULL, NULL);
+	    if (ret < 0) {
+		save_errno = errno;
+		krb5_set_error_string(context, "recvfrom %s: %s",
+				      host, strerror(save_errno));
+		return save_errno;
+	    } else if (ret == 0) {
+		krb5_set_error_string(context, "recvfrom timeout %s", host);
+		return 1;
+	    }
+	    len += ret;
+	    if (len < 4)
+		continue;
+	    _krb5_get_int(reply, &size, 4);
+	    if (size + 4 < len)
+		continue;
+	    memmove(reply, reply + 4, size);		
+	    len = size;
+	    break;
+	}
+	if (len == sizeof(reply)) {
+	    krb5_set_error_string(context, "message too large from %s",
+				  host);
+	    return ENOMEM;
+	}
+    } else {
+	ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
+	if (ret < 0) {
+	    save_errno = errno;
+	    krb5_set_error_string(context, "recvfrom %s: %s",
+				  host, strerror(save_errno));
+	    return save_errno;
+	}
+	len = ret;
+    }
+
+    if (len < 6) {
+	str2data (result_string, "server %s sent to too short message "
+		  "(%d bytes)", host, len);
+	*result_code = KRB5_KPASSWD_MALFORMED;
+	return 0;
     }
 
-    len = ret;
     pkt_len = (reply[0] << 8) | (reply[1]);
     pkt_ver = (reply[2] << 8) | (reply[3]);
 
+    if ((pkt_len != len) || (reply[1] == 0x7e || reply[1] == 0x5e)) {
+	KRB_ERROR error;
+	size_t size;
+	u_char *p;
+
+	memset(&error, 0, sizeof(error));
+
+	ret = decode_KRB_ERROR(reply, len, &error, &size);
+	if (ret)
+	    return ret;
+
+	if (error.e_data->length < 2) {
+	    str2data(result_string, "server %s sent too short "
+		     "e_data to print anything usable", host);
+	    free_KRB_ERROR(&error);
+	    *result_code = KRB5_KPASSWD_MALFORMED;
+	    return 0;
+	}
+
+	p = error.e_data->data;
+	*result_code = (p[0] << 8) | p[1];
+	if (error.e_data->length == 2)
+	    str2data(result_string, "server only sent error code");
+	else 
+	    krb5_data_copy (result_string,
+			    p + 2,
+			    error.e_data->length - 2);
+	free_KRB_ERROR(&error);
+	return 0;
+    }
+
     if (pkt_len != len) {
 	str2data (result_string, "client: wrong len in reply");
 	*result_code = KRB5_KPASSWD_MALFORMED;
 	return 0;
     }
-    if (pkt_ver != 0x0001) {
+    if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW) {
 	str2data (result_string,
 		  "client: wrong version number (%d)", pkt_ver);
 	*result_code = KRB5_KPASSWD_MALFORMED;
@@ -173,15 +372,21 @@ process_reply (krb5_context context,
 
     ap_rep_data.data = reply + 6;
     ap_rep_data.length  = (reply[4] << 8) | (reply[5]);
-    priv_data.data   = (u_char*)ap_rep_data.data + ap_rep_data.length;
-    priv_data.length = len - ap_rep_data.length - 6;
-    if ((u_char *)priv_data.data + priv_data.length > reply + len)
-	return KRB5_KPASSWD_MALFORMED;
   
+    if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
+	str2data (result_string, "client: wrong AP len in reply");
+	*result_code = KRB5_KPASSWD_MALFORMED;
+	return 0;
+    }
+
     if (ap_rep_data.length) {
 	krb5_ap_rep_enc_part *ap_rep;
+	krb5_data priv_data;
 	u_char *p;
 
+	priv_data.data   = (u_char*)ap_rep_data.data + ap_rep_data.length;
+	priv_data.length = len - ap_rep_data.length - 6;
+
 	ret = krb5_rd_rep (context,
 			   auth_context,
 			   &ap_rep_data,
@@ -207,13 +412,14 @@ process_reply (krb5_context context,
 		      "client: bad length in result");
 	    return 0;
 	}
-	p = result_code_string->data;
+
+        p = result_code_string->data;
       
-	*result_code = (p[0] << 8) | p[1];
-	krb5_data_copy (result_string,
-			(unsigned char*)result_code_string->data + 2,
-			result_code_string->length - 2);
-	return 0;
+        *result_code = (p[0] << 8) | p[1];
+        krb5_data_copy (result_string,
+                        (unsigned char*)result_code_string->data + 2,
+                        result_code_string->length - 2);
+        return 0;
     } else {
 	KRB_ERROR error;
 	size_t size;
@@ -237,19 +443,77 @@ process_reply (krb5_context context,
     }
 }
 
+
 /*
  * change the password using the credentials in `creds' (for the
  * principal indicated in them) to `newpw', storing the result of
  * the operation in `result_*' and an error code or 0.
  */
 
-krb5_error_code
-krb5_change_password (krb5_context	context,
+typedef krb5_error_code (*kpwd_send_request) (krb5_context,
+					      krb5_auth_context *,
+					      krb5_creds *,
+					      krb5_principal,
+					      int,
+					      int,
+					      char *,
+					      const char *);
+typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
+					       krb5_auth_context,
+					       int,
+					       int,
+					       int *,
+					       krb5_data *,
+					       krb5_data *,
+					       const char *);
+
+struct kpwd_proc {
+    const char *name;
+    int flags;
+#define SUPPORT_TCP	1
+#define SUPPORT_UDP	2
+    kpwd_send_request send_req;
+    kpwd_process_reply process_rep;
+} procs[] = {
+    {
+	"MS set password", 
+	SUPPORT_TCP|SUPPORT_UDP,
+	setpw_send_request, 
+	process_reply
+    },
+    {
+	"change password",
+	SUPPORT_UDP,
+	chgpw_send_request,
+	process_reply
+    },
+    { NULL }
+};
+
+static struct kpwd_proc *
+find_chpw_proto(const char *name)
+{
+    struct kpwd_proc *p;
+    for (p = procs; p->name != NULL; p++) {
+	if (strcmp(p->name, name) == 0)
+	    return p;
+    }
+    return NULL;
+}
+
+/*
+ *
+ */
+
+static krb5_error_code
+change_password_loop (krb5_context	context,
 		      krb5_creds	*creds,
+		      krb5_principal	targprinc,
 		      char		*newpw,
 		      int		*result_code,
 		      krb5_data		*result_code_string,
-		      krb5_data		*result_string)
+		      krb5_data		*result_string,
+		      struct kpwd_proc	*proc)
 {
     krb5_error_code ret;
     krb5_auth_context auth_context = NULL;
@@ -273,6 +537,22 @@ krb5_change_password (krb5_context	context,
 
     while (!done && (ret = krb5_krbhst_next(context, handle, &hi)) == 0) {
 	struct addrinfo *ai, *a;
+	int is_stream;
+
+	switch (hi->proto) {
+	case KRB5_KRBHST_UDP:
+	    if ((proc->flags & SUPPORT_UDP) == 0)
+		continue;
+	    is_stream = 0;
+	    break;
+	case KRB5_KRBHST_TCP:
+	    if ((proc->flags & SUPPORT_TCP) == 0)
+		continue;
+	    is_stream = 1;
+	    break;
+	default:
+	    continue;
+	}
 
 	ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
 	if (ret)
@@ -304,12 +584,15 @@ krb5_change_password (krb5_context	context,
 
 		if (!replied) {
 		    replied = 0;
-		    ret = send_request (context,
-					&auth_context,
-					creds,
-					sock,
-					newpw,
-					hi->hostname);
+		    
+		    ret = (*proc->send_req) (context,
+					     &auth_context,
+					     creds,
+					     targprinc,
+					     is_stream,
+					     sock,
+					     newpw,
+					     hi->hostname);
 		    if (ret) {
 			close(sock);
 			goto out;
@@ -334,13 +617,14 @@ krb5_change_password (krb5_context	context,
 		    goto out;
 		}
 		if (ret == 1) {
-		    ret = process_reply (context,
-					 auth_context,
-					 sock,
-					 result_code,
-					 result_code_string,
-					 result_string,
-					 hi->hostname);
+		    ret = (*proc->process_rep) (context,
+						auth_context,
+						is_stream,
+						sock,
+						result_code,
+						result_code_string,
+						result_string,
+						hi->hostname);
 		    if (ret == 0)
 			done = 1;
 		    else if (i > 0 && ret == KRB5KRB_AP_ERR_MUT_FAIL)
@@ -367,7 +651,148 @@ krb5_change_password (krb5_context	context,
     }
 }
 
-const char *
+
+/*
+ * change the password using the credentials in `creds' (for the
+ * principal indicated in them) to `newpw', storing the result of
+ * the operation in `result_*' and an error code or 0.
+ */
+
+krb5_error_code
+krb5_change_password (krb5_context	context,
+		      krb5_creds	*creds,
+		      char		*newpw,
+		      int		*result_code,
+		      krb5_data		*result_code_string,
+		      krb5_data		*result_string)
+{
+    struct kpwd_proc *p = find_chpw_proto("change password");
+
+    *result_code = KRB5_KPASSWD_MALFORMED;
+    result_code_string->data = result_string->data = NULL;
+    result_code_string->length = result_string->length = 0;
+
+    if (p == NULL)
+	return KRB5_KPASSWD_MALFORMED;
+
+    return change_password_loop(context, creds, NULL, newpw, 
+				result_code, result_code_string, 
+				result_string, p);
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_set_password(krb5_context context,
+		  krb5_creds *creds,
+		  char *newpw,
+		  krb5_principal targprinc,
+		  int *result_code,
+		  krb5_data *result_code_string,
+		  krb5_data *result_string)
+{
+    krb5_principal principal = NULL;
+    krb5_error_code ret = 0;
+    int i;
+
+    *result_code = KRB5_KPASSWD_MALFORMED;
+    result_code_string->data = result_string->data = NULL;
+    result_code_string->length = result_string->length = 0;
+
+    if (targprinc == NULL) {
+	ret = krb5_get_default_principal(context, &principal);
+	if (ret)
+	    return ret;
+    } else
+	principal = targprinc;
+
+    for (i = 0; procs[i].name != NULL; i++) {
+	*result_code = 0;
+	ret = change_password_loop(context, creds, targprinc, newpw, 
+				   result_code, result_code_string, 
+				   result_string, 
+				   &procs[i]);
+	if (ret == 0 && *result_code == 0)
+	    break;
+    }
+
+    if (targprinc == NULL)
+	krb5_free_principal(context, principal);
+    return ret;
+}
+
+/*
+ *
+ */
+
+krb5_error_code
+krb5_set_password_using_ccache(krb5_context context,
+			       krb5_ccache ccache,
+			       char *newpw,
+			       krb5_principal targprinc,
+			       int *result_code,
+			       krb5_data *result_code_string,
+			       krb5_data *result_string)
+{
+    krb5_creds creds, *credsp;
+    krb5_error_code ret;
+    krb5_principal principal = NULL;
+
+    *result_code = KRB5_KPASSWD_MALFORMED;
+    result_code_string->data = result_string->data = NULL;
+    result_code_string->length = result_string->length = 0;
+
+    memset(&creds, 0, sizeof(creds));
+
+    if (targprinc == NULL) {
+	ret = krb5_cc_get_principal(context, ccache, &principal);
+	if (ret)
+	    return ret;
+    } else
+	principal = targprinc;
+
+    ret = krb5_make_principal(context, &creds.server, 
+			      krb5_principal_get_realm(context, principal),
+			      "kadmin", "changepw", NULL);
+    if (ret)
+	goto out;
+
+    ret = krb5_cc_get_principal(context, ccache, &creds.client);
+    if (ret) {
+        krb5_free_principal(context, creds.server);
+	goto out;
+    }
+
+    ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
+    krb5_free_principal(context, creds.server);
+    krb5_free_principal(context, creds.client);
+    if (ret)
+	goto out;
+
+    ret = krb5_set_password(context,
+			    credsp,
+			    newpw,
+			    principal,
+			    result_code,
+			    result_code_string,
+			    result_string);
+
+    krb5_free_creds(context, credsp); 
+
+    return ret;
+ out:
+    if (targprinc == NULL)
+	krb5_free_principal(context, principal);
+    return ret;
+}
+
+/*
+ *
+ */
+
+const char*
 krb5_passwd_result_to_string (krb5_context context,
 			      int result)
 {
@@ -376,10 +801,13 @@ krb5_passwd_result_to_string (krb5_context context,
 	"Malformed",
 	"Hard error",
 	"Auth error",
-	"Soft error" 
+	"Soft error" ,
+	"Access denied",
+	"Bad version",
+	"Initial flag needed"
     };
 
-    if (result < 0 || result > KRB5_KPASSWD_SOFTERROR)
+    if (result < 0 || result > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)
 	return "unknown result code";
     else
 	return strings[result];
diff --git a/kerberosV/src/lib/krb5/eai_to_heim_errno.c b/kerberosV/src/lib/krb5/eai_to_heim_errno.c
index 671bc8e9db8..feb788fbc08 100644
--- a/kerberosV/src/lib/krb5/eai_to_heim_errno.c
+++ b/kerberosV/src/lib/krb5/eai_to_heim_errno.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: eai_to_heim_errno.c,v 1.3 2001/05/14 22:48:33 assar Exp $");
+RCSID("$KTH: eai_to_heim_errno.c,v 1.3.8.1 2004/02/13 16:15:16 lha Exp $");
 
 /*
  * convert the getaddrinfo error code in `eai_errno' into a
@@ -47,8 +47,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error)
     switch(eai_errno) {
     case EAI_NOERROR:
 	return 0;
+#ifdef EAI_ADDRFAMILY
     case EAI_ADDRFAMILY:
 	return HEIM_EAI_ADDRFAMILY;
+#endif
     case EAI_AGAIN:
 	return HEIM_EAI_AGAIN;
     case EAI_BADFLAGS:
@@ -59,8 +61,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error)
 	return HEIM_EAI_FAMILY;
     case EAI_MEMORY:
 	return HEIM_EAI_MEMORY;
+#if defined(EAI_NODATA) && EAI_NODATA != EAI_NONAME
     case EAI_NODATA:
 	return HEIM_EAI_NODATA;
+#endif
     case EAI_NONAME:
 	return HEIM_EAI_NONAME;
     case EAI_SERVICE:
diff --git a/kerberosV/src/lib/krb5/get_cred.c b/kerberosV/src/lib/krb5/get_cred.c
index bbc81a3d922..2f414b6055b 100644
--- a/kerberosV/src/lib/krb5/get_cred.c
+++ b/kerberosV/src/lib/krb5/get_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: get_cred.c,v 1.91 2002/09/04 21:12:46 joda Exp $");
+RCSID("$KTH: get_cred.c,v 1.91.4.3 2004/01/09 00:47:17 lha Exp $");
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -225,26 +225,37 @@ init_tgs_req (krb5_context context,
 
     {
 	krb5_auth_context ac;
-	krb5_keyblock *key;
+	krb5_keyblock *key = NULL;
 
 	ret = krb5_auth_con_init(context, &ac);
 	if(ret)
 	    goto fail;
-	ret = krb5_generate_subkey (context, &krbtgt->session, &key);
-	if (ret) {
-	    krb5_auth_con_free (context, ac);
-	    goto fail;
-	}
-	ret = krb5_auth_con_setlocalsubkey(context, ac, key);
-	if (ret) {
-	    krb5_free_keyblock (context, key);
-	    krb5_auth_con_free (context, ac);
-	    goto fail;
+
+	if (krb5_config_get_bool_default(context, NULL, FALSE,
+					 "realms",
+					 krbtgt->server->realm,
+					 "tgs_require_subkey",
+					 NULL))
+	{
+	    ret = krb5_generate_subkey (context, &krbtgt->session, &key);
+	    if (ret) {
+		krb5_auth_con_free (context, ac);
+		goto fail;
+	    }
+
+	    ret = krb5_auth_con_setlocalsubkey(context, ac, key);
+	    if (ret) {
+		if (key)
+		    krb5_free_keyblock (context, key);
+		krb5_auth_con_free (context, ac);
+		goto fail;
+	    }
 	}
 
 	ret = set_auth_data (context, &t->req_body, &in_creds->authdata, key);
 	if (ret) {
-	    krb5_free_keyblock (context, key);
+	    if (key)
+		krb5_free_keyblock (context, key);
 	    krb5_auth_con_free (context, ac);
 	    goto fail;
 	}
@@ -256,7 +267,8 @@ init_tgs_req (krb5_context context,
 			      krbtgt,
 			      usage);
 	if(ret) {
-	    krb5_free_keyblock (context, key);
+	    if (key)
+		krb5_free_keyblock (context, key);
 	    krb5_auth_con_free(context, ac);
 	    goto fail;
 	}
@@ -265,36 +277,44 @@ init_tgs_req (krb5_context context,
 	krb5_auth_con_free(context, ac);
     }
 fail:
-    if (ret)
-	/* XXX - don't free addresses? */
+    if (ret) {
+	t->req_body.addresses = NULL;
 	free_TGS_REQ (t);
+    }
     return ret;
 }
 
-static krb5_error_code
-get_krbtgt(krb5_context context,
-	   krb5_ccache  id,
-	   krb5_realm realm,
-	   krb5_creds **cred)
+krb5_error_code
+_krb5_get_krbtgt(krb5_context context,
+		 krb5_ccache  id,
+		 krb5_realm realm,
+		 krb5_creds **cred)
 {
     krb5_error_code ret;
     krb5_creds tmp_cred;
 
     memset(&tmp_cred, 0, sizeof(tmp_cred));
 
+    ret = krb5_cc_get_principal(context, id, &tmp_cred.client);
+    if (ret)
+	return ret;
+
     ret = krb5_make_principal(context, 
 			      &tmp_cred.server,
 			      realm,
 			      KRB5_TGS_NAME,
 			      realm,
 			      NULL);
-    if(ret)
+    if(ret) {
+	krb5_free_principal(context, tmp_cred.client);
 	return ret;
+    }
     ret = krb5_get_credentials(context,
 			       KRB5_GC_CACHED,
 			       id,
 			       &tmp_cred,
 			       cred);
+    krb5_free_principal(context, tmp_cred.client);
     krb5_free_principal(context, tmp_cred.server);
     if(ret)
 	return ret;
@@ -467,7 +487,7 @@ get_cred_kdc_usage(krb5_context context,
 	krb5_clear_error_string(context);
     }
     krb5_data_free(&resp);
-out:
+ out:
     if(subkey){
 	krb5_free_keyblock_contents(context, subkey);
 	free(subkey);
@@ -537,10 +557,10 @@ krb5_get_kdc_cred(krb5_context context,
 	krb5_set_error_string(context, "malloc: out of memory");
 	return ENOMEM;
     }
-    ret = get_krbtgt (context,
-		      id,
-		      in_creds->server->realm,
-		      &krbtgt);
+    ret = _krb5_get_krbtgt (context,
+			    id,
+			    in_creds->server->realm,
+			    &krbtgt);
     if(ret) {
 	free(*out_creds);
 	return ret;
@@ -635,8 +655,16 @@ get_cred_from_kdc_flags(krb5_context context,
     if(ret)
 	return ret;
 
-    try_realm = krb5_config_get_string(context, NULL, "libdefaults",
-				       "capath", server_realm, NULL);
+    try_realm = krb5_config_get_string(context, NULL, "capaths", 
+				       client_realm, server_realm, NULL);
+    
+#if 1
+    /* XXX remove in future release */
+    if(try_realm == NULL)
+	try_realm = krb5_config_get_string(context, NULL, "libdefaults", 
+					   "capath", server_realm, NULL);
+#endif
+
     if (try_realm == NULL)
 	try_realm = client_realm;
 
@@ -644,7 +672,7 @@ get_cred_from_kdc_flags(krb5_context context,
 			      &tmp_creds.server,
 			      try_realm,
 			      KRB5_TGS_NAME,
-			      server_realm,
+			      server_realm, 
 			      NULL);
     if(ret){
 	krb5_free_principal(context, tmp_creds.client);
diff --git a/kerberosV/src/lib/krb5/get_for_creds.c b/kerberosV/src/lib/krb5/get_for_creds.c
index abe09f7c83b..fb988fd678c 100644
--- a/kerberosV/src/lib/krb5/get_for_creds.c
+++ b/kerberosV/src/lib/krb5/get_for_creds.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: get_for_creds.c,v 1.34 2002/09/04 16:26:04 joda Exp $");
+RCSID("$KTH: get_for_creds.c,v 1.34.4.1 2004/01/09 00:51:55 lha Exp $");
 
 static krb5_error_code
 add_addrs(krb5_context context,
@@ -41,7 +41,7 @@ add_addrs(krb5_context context,
 	  struct addrinfo *ai)
 {
     krb5_error_code ret;
-    unsigned n, i, j;
+    unsigned n, i;
     void *tmp;
     struct addrinfo *a;
 
@@ -49,29 +49,34 @@ add_addrs(krb5_context context,
     for (a = ai; a != NULL; a = a->ai_next)
 	++n;
 
-    i = addr->len;
-    addr->len += n;
-    tmp = realloc(addr->val, addr->len * sizeof(*addr->val));
+    tmp = realloc(addr->val, (addr->len + n) * sizeof(*addr->val));
     if (tmp == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
 	ret = ENOMEM;
 	goto fail;
     }
     addr->val = tmp;
-    for (j = i; j < addr->len; ++j) {
+    for (i = addr->len; i < (addr->len + n); ++i) {
 	addr->val[i].addr_type = 0;
 	krb5_data_zero(&addr->val[i].address);
     }
+    i = addr->len;
     for (a = ai; a != NULL; a = a->ai_next) {
-	ret = krb5_sockaddr2address (context, a->ai_addr, &addr->val[i]);
-	if (ret == 0)
-	    ++i;
+	krb5_address ad;
+
+	ret = krb5_sockaddr2address (context, a->ai_addr, &ad);
+	if (ret == 0) {
+	    if (krb5_address_search(context, &ad, addr))
+		krb5_free_address(context, &ad);
+	    else
+		addr->val[i++] = ad;
+	}
 	else if (ret == KRB5_PROG_ATYPE_NOSUPP)
 	    krb5_clear_error_string (context);
 	else
 	    goto fail;
+	addr->len = i;
     }
-    addr->len = i;
     return 0;
 fail:
     krb5_free_addresses (context, addr);
@@ -157,42 +162,66 @@ krb5_get_forwarded_creds (krb5_context	    context,
 {
     krb5_error_code ret;
     krb5_creds *out_creds;
-    krb5_addresses addrs;
+    krb5_addresses addrs, *paddrs;
     KRB_CRED cred;
     KrbCredInfo *krb_cred_info;
     EncKrbCredPart enc_krb_cred_part;
     size_t len;
     unsigned char *buf;
     size_t buf_size;
-    int32_t sec, usec;
     krb5_kdc_flags kdc_flags;
     krb5_crypto crypto;
     struct addrinfo *ai;
     int save_errno;
     krb5_keyblock *key;
+    krb5_creds *ticket;
+    char *realm;
+
+    if (in_creds->client && in_creds->client->realm)
+	realm = in_creds->client->realm;
+    else
+	realm = in_creds->server->realm;
 
     addrs.len = 0;
     addrs.val = NULL;
-
-    ret = getaddrinfo (hostname, NULL, NULL, &ai);
-    if (ret) {
-	save_errno = errno;
-	krb5_set_error_string(context, "resolving %s: %s",
-			      hostname, gai_strerror(ret));
-	return krb5_eai_to_heim_errno(ret, save_errno);
+    paddrs = &addrs;
+
+    /*
+     * If tickets are address-less, forward address-less tickets.
+     */
+
+    ret = _krb5_get_krbtgt (context,
+			    ccache,
+			    realm,
+			    &ticket);
+    if(ret == 0) {
+	if (ticket->addresses.len == 0)
+	    paddrs = NULL;
+	krb5_free_creds (context, ticket);
     }
-
-    ret = add_addrs (context, &addrs, ai);
-    freeaddrinfo (ai);
-    if (ret)
-	return ret;
-
+    
+    if (paddrs != NULL) {
+
+	ret = getaddrinfo (hostname, NULL, NULL, &ai);
+	if (ret) {
+	    save_errno = errno;
+	    krb5_set_error_string(context, "resolving %s: %s",
+				  hostname, gai_strerror(ret));
+	    return krb5_eai_to_heim_errno(ret, save_errno);
+	}
+	
+	ret = add_addrs (context, &addrs, ai);
+	freeaddrinfo (ai);
+	if (ret)
+	    return ret;
+    }
+    
     kdc_flags.i = flags;
 
     ret = krb5_get_kdc_cred (context,
 			     ccache,
 			     kdc_flags,
-			     &addrs,
+			     paddrs,
 			     NULL,
 			     in_creds,
 			     &out_creds);
@@ -224,29 +253,36 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	goto out4;
     }
     
-    krb5_us_timeofday (context, &sec, &usec);
-
-    ALLOC(enc_krb_cred_part.timestamp, 1);
-    if (enc_krb_cred_part.timestamp == NULL) {
-	ret = ENOMEM;
-	krb5_set_error_string(context, "malloc: out of memory");
-	goto out4;
-    }
-    *enc_krb_cred_part.timestamp = sec;
-    ALLOC(enc_krb_cred_part.usec, 1);
-    if (enc_krb_cred_part.usec == NULL) {
- 	ret = ENOMEM;
-	krb5_set_error_string(context, "malloc: out of memory");
-	goto out4;
+    if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	int32_t sec, usec;
+	
+	krb5_us_timeofday (context, &sec, &usec);
+	
+	ALLOC(enc_krb_cred_part.timestamp, 1);
+	if (enc_krb_cred_part.timestamp == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto out4;
+	}
+	*enc_krb_cred_part.timestamp = sec;
+	ALLOC(enc_krb_cred_part.usec, 1);
+	if (enc_krb_cred_part.usec == NULL) {
+	    ret = ENOMEM;
+	    krb5_set_error_string(context, "malloc: out of memory");
+	    goto out4;
+	}
+	*enc_krb_cred_part.usec      = usec;
+    } else {
+	enc_krb_cred_part.timestamp = NULL;
+	enc_krb_cred_part.usec = NULL;
     }
-    *enc_krb_cred_part.usec      = usec;
 
     if (auth_context->local_address && auth_context->local_port) {
 	krb5_boolean noaddr;
-	const krb5_realm *realm;
+	krb5_const_realm realm;
 
-	realm = krb5_princ_realm(context, out_creds->server);
-	krb5_appdefault_boolean(context, NULL, *realm, "no-addresses", FALSE,
+	realm = krb5_principal_get_realm(context, out_creds->server);
+	krb5_appdefault_boolean(context, NULL, realm, "no-addresses", FALSE,
 				&noaddr);
 	if (!noaddr) {
 	    ret = krb5_make_addrport (context,
@@ -261,10 +297,10 @@ krb5_get_forwarded_creds (krb5_context	    context,
     if (auth_context->remote_address) {
 	if (auth_context->remote_port) {
 	    krb5_boolean noaddr;
-	    const krb5_realm *realm;
+	    krb5_const_realm realm;
 
-	    realm = krb5_princ_realm(context, out_creds->server);
-	    krb5_appdefault_boolean(context, NULL, *realm, "no-addresses",
+	    realm = krb5_principal_get_realm(context, out_creds->server);
+	    krb5_appdefault_boolean(context, NULL, realm, "no-addresses",
 				    FALSE, &noaddr);
 	    if (!noaddr) {
 		ret = krb5_make_addrport (context,
@@ -367,11 +403,11 @@ krb5_get_forwarded_creds (krb5_context	    context,
     out_data->length = len;
     out_data->data   = buf;
     return 0;
-out4:
+ out4:
     free_EncKrbCredPart(&enc_krb_cred_part);
-out3:
+ out3:
     free_KRB_CRED(&cred);
-out2:
+ out2:
     krb5_free_creds (context, out_creds);
     return ret;
 }
diff --git a/kerberosV/src/lib/krb5/get_in_tkt.c b/kerberosV/src/lib/krb5/get_in_tkt.c
index 7d29297e66e..aea8dc6496c 100644
--- a/kerberosV/src/lib/krb5/get_in_tkt.c
+++ b/kerberosV/src/lib/krb5/get_in_tkt.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: get_in_tkt.c,v 1.107 2003/02/16 06:41:25 nectar Exp $");
+RCSID("$KTH: get_in_tkt.c,v 1.107.2.1 2003/09/18 21:00:09 lha Exp $");
 
 krb5_error_code
 krb5_init_etype (krb5_context context,
@@ -543,9 +543,9 @@ init_as_req (krb5_context context,
 			else
 			    krb5_data_zero(&salt.saltvalue);
 		    ret = add_padata(context, a->padata, creds->client, 
-			       key_proc, keyseed, 
-			       &preauth->val[i].info.val[j].etype, 1,
-			       sp);
+				     key_proc, keyseed, 
+				     &preauth->val[i].info.val[j].etype, 1,
+				     sp);
 		    if (ret == 0)
 			break;
 		}
@@ -821,7 +821,7 @@ krb5_get_in_tkt(krb5_context context,
 			    ret_as_reply);
     if(ret) 
 	return ret;
-    ret = krb5_cc_store_cred (context, ccache, creds);
-    krb5_free_creds_contents (context, creds);
+    if (ccache)
+	ret = krb5_cc_store_cred (context, ccache, creds);
     return ret;
 }
diff --git a/kerberosV/src/lib/krb5/init_creds_pw.c b/kerberosV/src/lib/krb5/init_creds_pw.c
index 901462078bd..026e8997d92 100644
--- a/kerberosV/src/lib/krb5/init_creds_pw.c
+++ b/kerberosV/src/lib/krb5/init_creds_pw.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: init_creds_pw.c,v 1.55 2003/03/20 18:07:31 lha Exp $");
+RCSID("$KTH: init_creds_pw.c,v 1.55.2.1 2004/08/30 23:21:07 lha Exp $");
 
 static int
 get_config_time (krb5_context context,
@@ -398,6 +398,8 @@ krb5_get_init_creds_password(krb5_context context,
     krb5_data password_data;
     int done;
 
+    memset(&kdc_reply, 0, sizeof(kdc_reply));
+
     ret = get_init_creds_common(context, creds, client, start_time,
 				in_tkt_service, options,
 				&addrs, &etypes, &this_cred, &pre_auth_types,
@@ -486,8 +488,8 @@ krb5_get_init_creds_password(krb5_context context,
 		      data);
 out:
     memset (buf, 0, sizeof(buf));
-    if (ret == 0)
-	krb5_free_kdc_rep (context, &kdc_reply);
+
+    krb5_free_kdc_rep (context, &kdc_reply);
 
     free (pre_auth_types);
     free (etypes);
diff --git a/kerberosV/src/lib/krb5/kerberos.cat8 b/kerberosV/src/lib/krb5/kerberos.cat8
new file mode 100644
index 00000000000..532f38cd177
--- /dev/null
+++ b/kerberosV/src/lib/krb5/kerberos.cat8
@@ -0,0 +1,55 @@
+
+KERBEROS(8)              UNIX System Manager's Manual              KERBEROS(8)
+
+NNAAMMEE
+     kkeerrbbeerrooss - introduction to the Kerberos system
+
+DDEESSCCRRIIPPTTIIOONN
+     Kerberos is a network authentication system. Its purpose is to securely
+     authenticate users and services in an insecure network environment.
+
+     This is done with a Kerberos server acting as a trusted third party,
+     keeping a database with secret keys for all users and services (collec-
+     tively called _p_r_i_n_c_i_p_a_l_s).
+
+     Each principal belongs to exactly one _r_e_a_l_m, which is the administrative
+     domain in Kerberos. A realm usually corresponds to an organisation, and
+     the realm should normally be derived from that organisation's domain
+     name. A realm is served by one or more Kerberos servers.
+
+     The authentication process involves exchange of `tickets' and
+     `authenticators' which together prove the principal's identity.
+
+     When you login to the Kerberos system, either through the normal system
+     login or with the kinit(1) program, you acquire a _t_i_c_k_e_t _g_r_a_n_t_i_n_g _t_i_c_k_e_t
+     which allows you to get new tickets for other services, such as tteellnneett or
+     ffttpp, without giving your password.
+
+     For more information on how Kerberos works, and other general Kerberos
+     questions see the Kerberos FAQ at
+     _h_t_t_p_:_/_/_w_w_w_._n_r_l_._n_a_v_y_._m_i_l_/_C_C_S_/_p_e_o_p_l_e_/_k_e_n_h_/_k_e_r_b_e_r_o_s_-_f_a_q_._h_t_m_l.
+
+     For setup instructions see the Heimdal Texinfo manual.
+
+SSEEEE AALLSSOO
+     ftp(1),  kdestroy(1),  kinit(1),  klist(1),  kpasswd(1),  telnet(1)
+
+HHIISSTTOORRYY
+     The Kerberos authentication system was developed in the late 1980's as
+     part of the Athena Project at the Massachusetts Institute of Technology.
+     Versions one through three never reached outside MIT, but version 4 was
+     (and still is) quite popular, especially in the academic community, but
+     is also used in commercial products like the AFS filesystem.
+
+     The problems with version 4 are that it has many limitations, the code
+     was not too well written (since it had been developed over a long time),
+     and it has a number of known security problems. To resolve many of these
+     issues work on version five started, and resulted in IETF RFC1510 in
+     1993. Since then much work has been put into the further development, and
+     a new RFC will hopefully appear soon.
+
+     This manual manual page is part of the HHeeiimmddaall Kerberos 5 distribution,
+     which has been in development at the Royal Institute of Technology in
+     Stockholm, Sweden, since about 1997.
+
+ HEIMDAL                       September 1, 2000                             1
diff --git a/kerberosV/src/lib/krb5/krb5-private.h b/kerberosV/src/lib/krb5/krb5-private.h
index b2471317e33..669e9547c5a 100644
--- a/kerberosV/src/lib/krb5/krb5-private.h
+++ b/kerberosV/src/lib/krb5/krb5-private.h
@@ -43,6 +43,13 @@ _krb5_get_int (
 	unsigned long */*value*/,
 	size_t /*size*/);
 
+krb5_error_code
+_krb5_get_krbtgt (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/,
+	krb5_realm /*realm*/,
+	krb5_creds **/*cred*/);
+
 time_t
 _krb5_krb_life_to_time (
 	int /*start*/,
@@ -66,4 +73,30 @@ _krb5_put_int (
 	unsigned long /*value*/,
 	size_t /*size*/);
 
+krb5_error_code
+_krb5_store_creds_heimdal_0_7 (
+	krb5_storage */*sp*/,
+	krb5_creds */*creds*/);
+
+krb5_error_code
+_krb5_store_creds_heimdal_pre_0_7 (
+	krb5_storage */*sp*/,
+	krb5_creds */*creds*/);
+
+krb5_error_code
+_krb5_store_creds_internal (
+	krb5_storage */*sp*/,
+	krb5_creds */*creds*/,
+	int /*v0_6*/);
+
+int
+_krb5_xlock (
+	krb5_context /*context*/,
+	int /*fd*/,
+	krb5_boolean /*exclusive*/,
+	const char */*filename*/);
+
+int
+_krb5_xunlock (int /*fd*/);
+
 #endif /* __krb5_private_h__ */
diff --git a/kerberosV/src/lib/krb5/krb5.cat3 b/kerberosV/src/lib/krb5/krb5.cat3
new file mode 100644
index 00000000000..83cd5de34aa
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5.cat3
@@ -0,0 +1,204 @@
+
+KRB5(3)                    UNIX Programmer's Manual                    KRB5(3)
+
+NNAAMMEE
+     kkrrbb55 - kerberos 5 library
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions constitute the Kerberos 5 library, _l_i_b_k_r_b_5. Declarations
+     for these functions may be obtained from the include file _k_r_b_5_._h.
+
+LLIISSTT OOFF FFUUNNCCTTIIOONNSS
+     _N_a_m_e_/_P_a_g_e                           _D_e_s_c_r_i_p_t_i_o_n
+     krb5_425_conv_principal.3
+     krb5_425_conv_principal_ext.3
+     krb5_524_conv_principal.3
+     krb5_addlog_dest.3
+     krb5_addlog_func.3
+     krb5_addr2sockaddr.3
+     krb5_address.3
+     krb5_address_compare.3
+     krb5_address_order.3
+     krb5_address_search.3
+     krb5_addresses.3
+     krb5_anyaddr.3
+     krb5_appdefault_boolean.3
+     krb5_appdefault_string.3
+     krb5_appdefault_time.3
+     krb5_append_addresses.3
+     krb5_auth_con_free.3
+     krb5_auth_con_genaddrs.3
+     krb5_auth_con_getaddrs.3
+     krb5_auth_con_getflags.3
+     krb5_auth_con_getkey.3
+     krb5_auth_con_getlocalsubkey.3
+     krb5_auth_con_getrcache.3
+     krb5_auth_con_getremotesubkey.3
+     krb5_auth_con_getuserkey.3
+     krb5_auth_con_init.3
+     krb5_auth_con_initivector.3
+     krb5_auth_con_setaddrs.3
+     krb5_auth_con_setaddrs_from_fd.3
+     krb5_auth_con_setflags.3
+     krb5_auth_con_setivector.3
+     krb5_auth_con_setkey.3
+     krb5_auth_con_setlocalsubkey.3
+     krb5_auth_con_setrcache.3
+     krb5_auth_con_setremotesubkey.3
+     krb5_auth_con_setuserkey.3
+     krb5_auth_context.3
+     krb5_auth_getauthenticator.3
+     krb5_auth_getcksumtype.3
+     krb5_auth_getkeytype.3
+     krb5_auth_getlocalseqnumber.3
+     krb5_auth_getremoteseqnumber.3
+     krb5_auth_setcksumtype.3
+     krb5_auth_setkeytype.3
+     krb5_auth_setlocalseqnumber.3
+     krb5_auth_setremoteseqnumber.3
+     krb5_build_principal.3
+     krb5_build_principal_ext.3
+     krb5_build_principal_va.3
+     krb5_build_principal_va_ext.3
+     krb5_cc_close.3
+     krb5_cc_copy_cache.3
+     krb5_cc_default.3
+     krb5_cc_default_name.3
+     krb5_cc_destroy.3
+     krb5_cc_end_seq_get.3
+     krb5_cc_gen_new.3
+     krb5_cc_get_name.3
+     krb5_cc_get_principal.3
+     krb5_cc_get_type.3
+     krb5_cc_get_version.3
+     krb5_cc_initialize.3
+     krb5_cc_next_cred.3
+     krb5_cc_register.3
+     krb5_cc_remove_cred.3
+     krb5_cc_resolve.3
+     krb5_cc_retrieve_cred.3
+     krb5_cc_set_default_name.3
+     krb5_cc_set_flags.3
+     krb5_cc_store_cred.3
+     krb5_checksum_is_collision_proof.3
+     krb5_checksum_is_keyed.3
+     krb5_checksumsize.3
+     krb5_closelog.3
+     krb5_config_get_bool_default.3
+     krb5_config_get_int_default.3
+     krb5_config_get_string_default.3
+     krb5_config_get_time_default.3
+     krb5_context.3
+     krb5_copy_address.3
+     krb5_copy_addresses.3
+     krb5_copy_data.3
+     krb5_create_checksum.3
+     krb5_crypto_destroy.3
+     krb5_crypto_init.3
+     krb5_data_alloc.3
+     krb5_data_copy.3
+     krb5_data_free.3
+     krb5_data_realloc.3
+     krb5_data_zero.3
+     krb5_decrypt.3
+     krb5_decrypt_EncryptedData.3
+     krb5_encrypt.3
+     krb5_encrypt_EncryptedData.3
+     krb5_err.3
+     krb5_errx.3
+     krb5_free_address.3
+     krb5_free_addresses.3
+     krb5_free_context.3
+     krb5_free_data.3
+     krb5_free_data_contents.3
+     krb5_free_host_realm.3
+     krb5_free_krbhst.3
+     krb5_free_principal.3
+     krb5_get_all_client_addrs.3
+     krb5_get_all_server_addrs.3
+     krb5_get_default_realm.3
+     krb5_get_default_realms.3
+     krb5_get_host_realm.3
+     krb5_get_krb524hst.3
+     krb5_get_krb_admin_hst.3
+     krb5_get_krb_changepw_hst.3
+     krb5_get_krbhst.3
+     krb5_h_addr2addr.3
+     krb5_h_addr2sockaddr.3
+     krb5_init_context.3
+     krb5_initlog.3
+     krb5_keytab_entry.3
+     krb5_krbhst_format_string.3
+     krb5_krbhst_free.3
+     krb5_krbhst_get_addrinfo.3
+     krb5_krbhst_init.3
+     krb5_krbhst_next.3
+     krb5_krbhst_next_as_string.3
+     krb5_krbhst_reset.3
+     krb5_kt_add_entry.3
+     krb5_kt_close.3
+     krb5_kt_compare.3
+     krb5_kt_copy_entry_contents.3
+     krb5_kt_cursor.3
+     krb5_kt_cursor.3
+     krb5_kt_default.3
+     krb5_kt_default_name.3
+     krb5_kt_end_seq_get.3
+     krb5_kt_free_entry.3
+     krb5_kt_get_entry.3
+     krb5_kt_get_name.3
+     krb5_kt_next_entry.3
+     krb5_kt_ops.3
+     krb5_kt_read_service_key.3
+     krb5_kt_register.3
+     krb5_kt_remove_entry.3
+     krb5_kt_resolve.3.3
+     krb5_kt_start_seq_get
+     krb5_log.3
+     krb5_log_msg.3
+     krb5_make_addrport.3
+     krb5_make_principal.3
+     krb5_max_sockaddr_size.3
+     krb5_openlog.3
+     krb5_parse_address.3
+     krb5_parse_name.3
+     krb5_principal.3
+     krb5_principal_get_comp_string.3
+     krb5_principal_get_realm.3
+     krb5_print_address.3
+     krb5_set_default_realm.3
+     krb5_set_warn_dest.3
+     krb5_sname_to_principal.3
+     krb5_sock_to_principal.3
+     krb5_sockaddr2address.3
+     krb5_sockaddr2port.3
+     krb5_sockaddr_uninteresting.3
+     krb5_timeofday.3
+     krb5_unparse_name.3
+     krb5_us_timeofday.3
+     krb5_verify_checksum.3
+     krb5_verify_opt_init.3
+     krb5_verify_opt_set_flags.3
+     krb5_verify_opt_set_keytab.3
+     krb5_verify_opt_set_secure.3
+     krb5_verify_opt_set_service.3
+     krb5_verify_user.3
+     krb5_verify_user_lrealm.3
+     krb5_verify_user_opt.3
+     krb5_verr.3
+     krb5_verrx.3
+     krb5_vlog.3
+     krb5_vlog_msg.3
+     krb5_vwarn.3
+     krb5_vwarnx.3
+     krb5_warn.3
+     krb5_warnx.3
+     krn5_kuserok.3
+
+SSEEEE AALLSSOO
+     krb5.conf(5),  kerberos(8)
+
+BSD Experimental                March 20, 2003                               4
diff --git a/kerberosV/src/lib/krb5/krb5.conf.cat5 b/kerberosV/src/lib/krb5/krb5.conf.cat5
new file mode 100644
index 00000000000..7c7bc6d68d3
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5.conf.cat5
@@ -0,0 +1,476 @@
+
+KRB5.CONF(5)               UNIX Programmer's Manual               KRB5.CONF(5)
+
+NNAAMMEE
+     kkrrbb55..ccoonnff - configuration file for Kerberos 5
+
+SSYYNNOOPPSSIISS
+DDEESSCCRRIIPPTTIIOONN
+     The kkrrbb55..ccoonnff file specifies several configuration parameters for the
+     Kerberos 5 library, as well as for some programs.
+
+     The file consists of one or more sections, containing a number of bind-
+     ings.  The value of each binding can be either a string or a list of oth-
+     er bindings.  The grammar looks like:
+
+           file:
+                   /* empty */
+                   sections
+
+           sections:
+                   section sections
+                   section
+
+           section:
+                   '[' section_name ']' bindings
+
+           section_name:
+                   STRING
+
+           bindings:
+                   binding bindings
+                   binding
+
+           binding:
+                   name '=' STRING
+                   name '=' '{' bindings '}'
+
+           name:
+                   STRING
+
+     STRINGs consists of one or more non-whitespace characters.
+
+     STRINGs that are specified later in this man-page uses the following no-
+     tation.
+
+           boolean
+                values can be either yes/true or no/false.
+
+           time
+                values can be a list of year, month, day, hour, min, second.
+                Example: 1 month 2 days 30 min.
+
+           etypes
+                valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-
+                md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96,
+                and aes256-cts-hmac-sha1-96 .
+
+           address
+                an address can be either a IPv4 or a IPv6 address.
+
+     Currently recognised sections and bindings are:
+
+           [appdefaults]
+                Specifies the default values to be used for Kerberos applica-
+                tions.  You can specify defaults per application, realm, or a
+
+                combination of these.  The preference order is:
+                1.   _a_p_p_l_i_c_a_t_i_o_n _r_e_a_l_m _o_p_t_i_o_n
+                2.   _a_p_p_l_i_c_a_t_i_o_n _o_p_t_i_o_n
+                3.   _r_e_a_l_m _o_p_t_i_o_n
+                4.   _o_p_t_i_o_n
+
+                The supported options are:
+
+                      forwardable = _b_o_o_l_e_a_n
+                           When obtaining initial credentials, make the cre-
+                           dentials forwardable.
+
+                      proxiable = _b_o_o_l_e_a_n
+                           When obtaining initial credentials, make the cre-
+                           dentials proxiable.
+
+                      no-addresses = _b_o_o_l_e_a_n
+                           When obtaining initial credentials, request them
+                           for an empty set of addresses, making the tickets
+                           valid from any address.
+
+                      ticket_lifetime = _t_i_m_e
+                           Default ticket lifetime.
+
+                      renew_lifetime = _t_i_m_e
+                           Default renewable ticket lifetime.
+
+                      encrypt = _b_o_o_l_e_a_n
+                           Use encryption, when available.
+
+                      forward = _b_o_o_l_e_a_n
+                           Forward credentials to remote host (for rsh(1),
+                           telnet(1),  etc).
+
+           [libdefaults]
+
+                      default_realm = _R_E_A_L_M
+                           Default realm to use, this is also known as your
+                           ``local realm''. The default is the result of
+                           kkrrbb55__ggeett__hhoosstt__rreeaallmm(_l_o_c_a_l _h_o_s_t_n_a_m_e).
+
+                      clockskew = _t_i_m_e
+                           Maximum time differential (in seconds) allowed when
+                           comparing times.  Default is 300 seconds (five min-
+                           utes).
+
+                      kdc_timeout = _t_i_m_e
+                           Maximum time to wait for a reply from the kdc, de-
+                           fault is 3 seconds.
+
+                      v4_name_convert
+
+                      v4_instance_resolve
+                           These are described in the krb5_425_conv_princi-
+                           pal(3) manual page.
+
+                      capath = {
+
+                                 _d_e_s_t_i_n_a_t_i_o_n_-_r_e_a_l_m = _n_e_x_t_-_h_o_p_-_r_e_a_l_m
+
+                                 ...
+
+                                 }
+
+
+                           This is deprecated, see the capaths section below.
+
+                      default_etypes = _e_t_y_p_e_s _._._.
+                           A list of default encryption types to use.
+
+                      default_etypes_des = _e_t_y_p_e_s _._._.
+                           A list of default encryption types to use when re-
+                           questing a DES credential.
+
+                      default_keytab_name = _k_e_y_t_a_b
+                           The keytab to use if no other is specified, default
+                           is ``FILE:/etc/krb5.keytab''.
+
+                      dns_lookup_kdc = _b_o_o_l_e_a_n
+                           Use DNS SRV records to lookup KDC services loca-
+                           tion.
+
+                      dns_lookup_realm = _b_o_o_l_e_a_n
+                           Use DNS TXT records to lookup domain to realm map-
+                           pings.
+
+                      kdc_timesync = _b_o_o_l_e_a_n
+                           Try to keep track of the time differential between
+                           the local machine and the KDC, and then compensate
+                           for that when issuing requests.
+
+                      max_retries = _n_u_m_b_e_r
+                           The max number of times to try to contact each KDC.
+
+                      ticket_lifetime = _t_i_m_e
+                           Default ticket lifetime.
+
+                      renew_lifetime = _t_i_m_e
+                           Default renewable ticket lifetime.
+
+                      forwardable = _b_o_o_l_e_a_n
+                           When obtaining initial credentials, make the cre-
+                           dentials forwardable.  This option is also valid in
+                           the [realms] section.
+
+                      proxiable = _b_o_o_l_e_a_n
+                           When obtaining initial credentials, make the cre-
+                           dentials proxiable.  This option is also valid in
+                           the [realms] section.
+
+                      verify_ap_req_nofail = _b_o_o_l_e_a_n
+                           If enabled, failure to verify credentials against a
+                           local key is a fatal error.  The application has to
+                           be able to read the corresponding service key for
+                           this to work.  Some applications, like su(1),  en-
+                           able this option unconditionally.
+
+                      warn_pwexpire = _t_i_m_e
+                           How soon to warn for expiring password.  Default is
+                           seven days.
+
+                      http_proxy = _p_r_o_x_y_-_s_p_e_c
+                           A HTTP-proxy to use when talking to the KDC via
+                           HTTP.
+
+                      dns_proxy = _p_r_o_x_y_-_s_p_e_c
+                           Enable using DNS via HTTP.
+
+                      extra_addresses = _a_d_d_r_e_s_s _._._.
+                           A list of addresses to get tickets for along with
+
+                           all local addresses.
+
+                      time_format = _s_t_r_i_n_g
+                           How to print time strings in logs, this string is
+                           passed to strftime(3).
+
+                      date_format = _s_t_r_i_n_g
+                           How to print date strings in logs, this string is
+                           passed to strftime(3).
+
+                      log_utc = _b_o_o_l_e_a_n
+                           Write log-entries using UTC instead of your local
+                           time zone.
+
+                      scan_interfaces = _b_o_o_l_e_a_n
+                           Scan all network interfaces for addresses, as op-
+                           posed to simply using the address associated with
+                           the system's host name.
+
+                      fcache_version = _i_n_t
+                           Use file credential cache format version specified.
+
+                      krb4_get_tickets = _b_o_o_l_e_a_n
+                           Also get Kerberos 4 tickets in kkiinniitt, llooggiinn, and
+                           other programs.  This option is also valid in the
+                           [realms] section.
+
+                      fcc-mit-ticketflags = _b_o_o_l_e_a_n
+                           Use MIT compatible format for file credential
+                           cache.  It's the field ticketflags that is stored
+                           in reverse bit order for older than Heimdal 0.7.
+                           Setting this flag to TRUE make it store the MIT
+                           way, this is default for Heimdal 0.7.
+
+           [domain_realm]
+                This is a list of mappings from DNS domain to Kerberos realm.
+                Each binding in this section looks like:
+
+                      domain = realm
+
+                The domain can be either a full name of a host or a trailing
+                component, in the latter case the domain-string should start
+                with a period.  The realm may be the token `dns_locate', in
+                which case the actual realm will be determined using DNS (in-
+                dependently of the setting of the `dns_lookup_realm' option).
+
+           [realms]
+
+                      _R_E_A_L_M = {
+
+                                 kdc = _[_s_e_r_v_i_c_e_/_]_h_o_s_t_[_:_p_o_r_t_]
+                                      Specifies a list of kdcs for this realm.
+                                      If the optional _p_o_r_t is absent, the de-
+                                      fault value for the ``kerberos/udp''
+                                      ``kerberos/tcp'', and ``http/tcp'' port
+                                      (depending on service) will be used.
+                                      The kdcs will be used in the order that
+                                      they are specified.
+
+                                      The optional _s_e_r_v_i_c_e specifies over what
+                                      medium the kdc should be contacted.
+                                      Possible services are ``udp'', ``tcp'',
+                                      and ``http''. Http can also be written
+                                      as ``http://''. Default service is
+
+
+                                      ``udp'' and ``tcp''.
+
+                                 admin_server = _h_o_s_t_[_:_p_o_r_t_]
+                                      Specifies the admin server for this
+                                      realm, where all the modifications to
+                                      the database are performed.
+
+                                 kpasswd_server = _h_o_s_t_[_:_p_o_r_t_]
+                                      Points to the server where all the pass-
+                                      word changes are performed.  If there is
+                                      no such entry, the kpasswd port on the
+                                      admin_server host will be tried.
+
+                                 krb524_server = _h_o_s_t_[_:_p_o_r_t_]
+                                      Points to the server that does 524 con-
+                                      versions.  If it is not mentioned, the
+                                      krb524 port on the kdcs will be tried.
+
+                                 v4_instance_convert
+
+                                 v4_name_convert
+
+                                 default_domain
+                                      See krb5_425_conv_principal(3).
+
+                                 tgs_require_subkey
+                                      a boolan variable that defaults to
+                                      false.  Old DCE secd (pre 1.1) might
+                                      need this to be true.
+
+                      }
+
+           [capaths]
+
+                      _c_l_i_e_n_t_-_r_e_a_l_m = {
+
+                                 _s_e_r_v_e_r_-_r_e_a_l_m = _h_o_p_-_r_e_a_l_m _._._.
+                                      This serves two purposes. First the
+                                      first listed _h_o_p_-_r_e_a_l_m tells a client
+                                      which realm it should contact in order
+                                      to ultimately obtain credentials for a
+                                      service in the _s_e_r_v_e_r_-_r_e_a_l_m. Secondly,
+                                      it tells the KDC (and other servers)
+                                      which realms are allowed in a multi-hop
+                                      traversal from _c_l_i_e_n_t_-_r_e_a_l_m to _s_e_r_v_e_r_-
+                                      _r_e_a_l_m. Except for the client case, the
+                                      order of the realms are not important.
+
+                      _}
+
+           [logging]
+
+                      _e_n_t_i_t_y = _d_e_s_t_i_n_a_t_i_o_n
+                           Specifies that _e_n_t_i_t_y should use the specified
+                           destination for logging.  See the krb5_openlog(3)
+                           manual page for a list of defined destinations.
+
+           [kdc]
+
+                      database = {
+
+                                 dbname = _D_A_T_A_B_A_S_E_N_A_M_E
+                                      Use this database for this realm.
+
+                                 realm = _R_E_A_L_M
+                                      Specifies the realm that will be stored
+
+                                      in this database.
+
+                                 mkey_file = _F_I_L_E_N_A_M_E
+                                      Use this keytab file for the master key
+                                      of this database.  If not specified
+                                      _D_A_T_A_B_A_S_E_N_A_M_E.mkey will be used.
+
+                                 acl_file = PA FILENAME
+                                      Use this file for the ACL list of this
+                                      database.
+
+                                 log_file = _F_I_L_E_N_A_M_E
+                                      Use this file as the log of changes per-
+                                      formed to the database.  This file is
+                                      used by iipprrooppdd--mmaasstteerr for propagating
+                                      changes to slaves.
+
+                      }
+
+                      max-request = _S_I_Z_E
+                           Maximum size of a kdc request.
+
+                      require-preauth = _B_O_O_L
+                           If set pre-authentication is required.  Since krb4
+                           requests are not pre-authenticated they will be re-
+                           jected.
+
+                      ports = _l_i_s_t _o_f _p_o_r_t_s
+                           List of ports the kdc should listen to.
+
+                      addresses = _l_i_s_t _o_f _i_n_t_e_r_f_a_c_e_s
+                           List of addresses the kdc should bind to.
+
+                      enable-kerberos4 = _B_O_O_L
+                           Turn on Kerberos 4 support.
+
+                      v4-realm = _R_E_A_L_M
+                           To what realm v4 requests should be mapped.
+
+                      enable-524 = _B_O_O_L
+                           Should the Kerberos 524 converting facility be
+                           turned on.  Default is same as _e_n_a_b_l_e_-_k_e_r_b_e_r_o_s_4.
+
+                      enable-http = _B_O_O_L
+                           Should the kdc answer kdc-requests over http.
+
+                      enable-kaserver = _B_O_O_L
+                           If this kdc should emulate the AFS kaserver.
+
+                      check-ticket-addresses = _B_O_O_L
+                           verify the addresses in the tickets used in tgs re-
+                           quests.
+
+                      allow-null-ticket-addresses = _B_O_O_L
+                           Allow addresses-less tickets.
+
+                      allow-anonymous = _B_O_O_L
+                           If the kdc is allowed to hand out anonymous tick-
+                           ets.
+
+                      encode_as_rep_as_tgs_rep = _B_O_O_L
+                           Encode as-rep as tgs-rep tobe compatible with mis-
+                           takes older DCE secd did.
+
+                      kdc_warn_pwexpire = _T_I_M_E
+                           The time before expiration that the user should be
+                           warned that her password is about to expire.
+
+                      logging = _L_o_g_g_i_n_g
+                           What type of logging the kdc should use, see also
+                           [logging]/kdc.
+
+                      use_2b = _p_r_i_n_c_i_p_a_l _l_i_s_t
+                           List of principals to use AFS 2b tokens for.
+
+           [kadmin]
+
+                      require-preauth = _B_O_O_L
+                           If pre-authentication is required to talk to the
+                           kadmin server.
+
+                      default_keys = _k_e_y_t_y_p_e_s_._._.
+                           for each entry in _d_e_f_a_u_l_t___k_e_y_s try to parse it as a
+                           sequence of _e_t_y_p_e_:_s_a_l_t_t_y_p_e_:_s_a_l_t syntax of this if
+                           something like:
+
+                           [(des|des3|etype):](pw-salt|afs3-salt)[:string]
+
+                           If _e_t_y_p_e is omitted it means everything, and if
+                           string is omitted it means the default salt string
+                           (for that principal and encryption type).  Addi-
+                           tional special values of keytypes are:
+
+                                 v5   The Kerberos 5 salt _p_w_-_s_a_l_t
+
+                                 v4   The Kerberos 4 salt _d_e_s_:_p_w_-_s_a_l_t_:
+
+                      use_v4_salt = _B_O_O_L
+                           When true, this is the same as
+
+                           _d_e_f_a_u_l_t___k_e_y_s _= _d_e_s_3_:_p_w_-_s_a_l_t _v_4
+
+                           and is only left for backwards compatibility.
+
+EENNVVIIRROONNMMEENNTT
+     KRB5_CONFIG points to the configuration file to read.
+
+FFIILLEESS
+     /etc/krb5.conf  configuration file for Kerberos 5.
+
+EEXXAAMMPPLLEESS
+           [libdefaults]
+                   default_realm = FOO.SE
+           [domain_realm]
+                   .foo.se = FOO.SE
+                   .bar.se = FOO.SE
+           [realms]
+                   FOO.SE = {
+                           kdc = kerberos.foo.se
+                           v4_name_convert = {
+                                   rcmd = host
+                           }
+                           v4_instance_convert = {
+                                   xyz = xyz.bar.se
+                           }
+                           default_domain = foo.se
+                   }
+           [logging]
+                   kdc = FILE:/var/heimdal/kdc.log
+                   kdc = SYSLOG:INFO
+                   default = SYSLOG:INFO:USER
+
+DDIIAAGGNNOOSSTTIICCSS
+     Since kkrrbb55..ccoonnff is read and parsed by the krb5 library, there is not a
+     lot of opportunities for programs to report parsing errors in any useful
+     format.  To help overcome this problem, there is a program
+     vveerriiffyy__kkrrbb55__ccoonnff that reads kkrrbb55..ccoonnff and tries to emit useful diagnos-
+     tics from parsing errors.  Note that this program does not have any way
+     of knowing what options are actually used and thus cannot warn about un-
+     known or misspelled ones.
+
+SSEEEE AALLSSOO
+     kinit(1),  krb5_425_conv_principal(3),  krb5_openlog(3),  strftime(3),
+     verify_krb5_conf(8)
+
+ HEIMDAL                         March 9, 2004                               8
diff --git a/kerberosV/src/lib/krb5/krb5_425_conv_principal.cat3 b/kerberosV/src/lib/krb5/krb5_425_conv_principal.cat3
new file mode 100644
index 00000000000..9927c43e862
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_425_conv_principal.cat3
@@ -0,0 +1,141 @@
+
+KRB5_425_CONV_PRINCIPAL(3) UNIX Programmer's Manual KRB5_425_CONV_PRINCIPAL(3)
+
+NNAAMMEE
+     kkrrbb55__442255__ccoonnvv__pprriinncciippaall, kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt,
+     kkrrbb55__552244__ccoonnvv__pprriinncciippaall - converts to and from version 4 principals
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__442255__ccoonnvv__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
+             _c_o_n_s_t _c_h_a_r _*_i_n_s_t_a_n_c_e, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m,
+             _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
+             _c_o_n_s_t _c_h_a_r _*_i_n_s_t_a_n_c_e, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m,
+             _k_r_b_5___b_o_o_l_e_a_n _(_*_f_u_n_c_)_(_k_r_b_5___c_o_n_t_e_x_t_, _k_r_b_5___p_r_i_n_c_i_p_a_l_),
+             _k_r_b_5___b_o_o_l_e_a_n _r_e_s_o_l_v_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__552244__ccoonnvv__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _c_o_n_s_t _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _c_h_a_r _*_n_a_m_e, _c_h_a_r _*_i_n_s_t_a_n_c_e,
+             _c_h_a_r _*_r_e_a_l_m)
+
+DDEESSCCRRIIPPTTIIOONN
+     Converting between version 4 and version 5 principals can at best be de-
+     scribed as a mess.
+
+     A version 4 principal consists of a name, an instance, and a realm. A
+     version 5 principal consists of one or more components, and a realm. In
+     some cases also the first component/name will differ between version 4
+     and version 5.  Furthermore the second component of a host principal will
+     be the fully qualified domain name of the host in question, while the in-
+     stance of a version 4 principal will only contain the first part (short
+     hostname).  Because of these problems the conversion between principals
+     will have to be site customized.
+
+     kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() will try to convert a version 4 principal,
+     given by _n_a_m_e, _i_n_s_t_a_n_c_e, and _r_e_a_l_m, to a version 5 principal. This can
+     result in several possible principals, and if _f_u_n_c is non-NULL, it will
+     be called for each candidate principal.  _f_u_n_c should return true if the
+     principal was ``good''. To accomplish this, kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt()
+     will look up the name in _k_r_b_5_._c_o_n_f. It first looks in the
+     v4_name_convert/host subsection, which should contain a list of version 4
+     names whose instance should be treated as a hostname. This list can be
+     specified for each realm (in the realms section), or in the libdefaults
+     section.  If the name is found the resulting name of the principal will
+     be the value of this binding. The instance is then first looked up in
+     v4_instance_convert for the specified realm. If found the resulting value
+     will be used as instance (this can be used for special cases), no further
+     attempts will be made to find a conversion if this fails (with _f_u_n_c). If
+     the _r_e_s_o_l_v_e parameter is true, the instance will be looked up with
+     ggeetthhoossttbbyynnaammee().  This can be a time consuming, error prone, and unsafe
+     operation.  Next a list of hostnames will be created from the instance
+     and the v4_domains variable, which should contain a list of possible do-
+     mains for the specific realm.
+
+     On the other hand, if the name is not found in a host section, it is
+     looked up in a v4_name_convert/plain binding. If found here the name will
+     be converted, but the instance will be untouched.
+
+
+     This list of default host-type conversions is compiled-in:
+
+           v4_name_convert = {
+                   host = {
+                           ftp = ftp
+                           hprop = hprop
+                           imap = imap
+                           pop = pop
+                           rcmd = host
+                           smtp = smtp
+                   }
+           }
+
+     It will only be used if there isn't an entry for these names in the con-
+     fig file, so you can override these defaults.
+
+     kkrrbb55__442255__ccoonnvv__pprriinncciippaall() will call kkrrbb55__442255__ccoonnvv__pprriinncciippaall__eexxtt() with
+     NULL as _f_u_n_c, and the value of v4_instance_resolve (from the libdefaults
+     section) as _r_e_s_o_l_v_e.
+
+     kkrrbb55__552244__ccoonnvv__pprriinncciippaall() basically does the opposite of
+     kkrrbb55__442255__ccoonnvv__pprriinncciippaall(), it just doesn't have to look up any names, but
+     will instead truncate instances found to belong to a host principal. The
+     _n_a_m_e, _i_n_s_t_a_n_c_e, and _r_e_a_l_m should be at least 40 characters long.
+
+EEXXAAMMPPLLEESS
+     Since this is confusing an example is in place.
+
+     Assume that we have the ``foo.com'', and ``bar.com'' domains that have
+     shared a single version 4 realm, FOO.COM. The version 4 _k_r_b_._r_e_a_l_m_s file
+     looked like:
+
+           foo.com         FOO.COM
+           .foo.com        FOO.COM
+           .bar.com        FOO.COM
+
+     A _k_r_b_5_._c_o_n_f file that covers this case might look like:
+
+           [libdefaults]
+                   v4_instance_resolve = yes
+           [realms]
+                   FOO.COM = {
+                           kdc = kerberos.foo.com
+                           v4_instance_convert = {
+                                   foo = foo.com
+                           }
+                           v4_domains = foo.com
+                   }
+
+     With this setup and the following host table:
+
+           foo.com
+           a-host.foo.com
+           b-host.bar.com
+     the following conversions will be made:
+
+           rcmd.a-host     -> host/a-host.foo.com
+           ftp.b-host      -> ftp/b-host.bar.com
+           pop.foo         -> pop/foo.com
+           ftp.other       -> ftp/other.foo.com
+           other.a-host    -> other/a-host
+
+     The first three are what you expect. If you remove the ``v4_domains'',
+     the fourth entry will result in an error (since the host ``other'' can't
+     be found). Even if ``a-host'' is a valid host name, the last entry will
+     not be converted, since the ``other'' name is not known to represent a
+     host-type principal.  If you turn off ``v4_instance_resolve'' the second
+     example will result in ``ftp/b-host.foo.com'' (because of the default do-
+     main). And all of this is of course only valid if you have working name
+     resolving.
+
+SSEEEE AALLSSOO
+     krb5_build_principal(3),  krb5_free_principal(3),  krb5_parse_name(3),
+     krb5_sname_to_principal(3),  krb5_unparse_name(3),  krb5.conf(5)
+
+ HEIMDAL                        April 11, 1999                               3
diff --git a/kerberosV/src/lib/krb5/krb5_address.cat3 b/kerberosV/src/lib/krb5/krb5_address.cat3
new file mode 100644
index 00000000000..423b1d8d563
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_address.cat3
@@ -0,0 +1,163 @@
+
+KRB5_ADDRESS(3)            UNIX Programmer's Manual            KRB5_ADDRESS(3)
+
+NNAAMMEE
+     kkrrbb55__aaddddrreessss, kkrrbb55__aaddddrreesssseess, kkrrbb55__ssoocckkaaddddrr22aaddddrreessss, kkrrbb55__ssoocckkaaddddrr22ppoorrtt,
+     kkrrbb55__aaddddrr22ssoocckkaaddddrr, kkrrbb55__mmaaxx__ssoocckkaaddddrr__ssiizzee, kkrrbb55__ssoocckkaaddddrr__uunniinntteerreessttiinngg,
+     kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr, kkrrbb55__hh__aaddddrr22aaddddrr, kkrrbb55__aannyyaaddddrr, kkrrbb55__pprriinntt__aaddddrreessss,
+     kkrrbb55__ppaarrssee__aaddddrreessss, kkrrbb55__aaddddrreessss__oorrddeerr, kkrrbb55__aaddddrreessss__ccoommppaarree,
+     kkrrbb55__aaddddrreessss__sseeaarrcchh, kkrrbb55__ffrreeee__aaddddrreessss, kkrrbb55__ffrreeee__aaddddrreesssseess,
+     kkrrbb55__ccooppyy__aaddddrreessss, kkrrbb55__ccooppyy__aaddddrreesssseess, kkrrbb55__aappppeenndd__aaddddrreesssseess,
+     kkrrbb55__mmaakkee__aaddddrrppoorrtt - mange addresses in Kerberos.
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ssoocckkaaddddrr22aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a,
+             _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ssoocckkaaddddrr22ppoorrtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a,
+             _i_n_t_1_6___t _*_p_o_r_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aaddddrr22ssoocckkaaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r,
+             _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a, _k_r_b_5___s_o_c_k_l_e_n___t _*_s_a___s_i_z_e, _i_n_t _p_o_r_t)
+
+     _s_i_z_e___t
+     kkrrbb55__mmaaxx__ssoocckkaaddddrr__ssiizzee(_v_o_i_d)
+
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__ssoocckkaaddddrr__uunniinntteerreessttiinngg(_c_o_n_s_t _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _a_f, _c_o_n_s_t _c_h_a_r _*_a_d_d_r,
+             _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a, _k_r_b_5___s_o_c_k_l_e_n___t _*_s_a___s_i_z_e, _i_n_t _p_o_r_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__hh__aaddddrr22aaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _a_f, _c_o_n_s_t _c_h_a_r _*_h_a_d_d_r,
+             _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aannyyaaddddrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _a_f, _s_t_r_u_c_t _s_o_c_k_a_d_d_r _*_s_a,
+             _k_r_b_5___s_o_c_k_l_e_n___t _*_s_a___s_i_z_e, _i_n_t _p_o_r_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__pprriinntt__aaddddrreessss(_c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r, _c_h_a_r _*_s_t_r, _s_i_z_e___t _l_e_n,
+             _s_i_z_e___t _*_r_e_t___l_e_n)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ppaarrssee__aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_s_t_r_i_n_g,
+             _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s)
+
+     _i_n_t
+     kkrrbb55__aaddddrreessss__oorrddeerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_1,
+             _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_2)
+
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__aaddddrreessss__ccoommppaarree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_1,
+             _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_2)
+
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__aaddddrreessss__sseeaarrcchh(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r,
+             _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_l_i_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ffrreeee__aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r_e_s_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ffrreeee__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ccooppyy__aaddddrreessss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_i_n_a_d_d_r,
+             _k_r_b_5___a_d_d_r_e_s_s _*_o_u_t_a_d_d_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ccooppyy__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_i_n_a_d_d_r,
+             _k_r_b_5___a_d_d_r_e_s_s_e_s _*_o_u_t_a_d_d_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aappppeenndd__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_d_e_s_t,
+             _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s_e_s _*_s_o_u_r_c_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__mmaakkee__aaddddrrppoorrtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_*_r_e_s,
+             _c_o_n_s_t _k_r_b_5___a_d_d_r_e_s_s _*_a_d_d_r, _i_n_t_1_6___t _p_o_r_t)
+
+DDEESSCCRRIIPPTTIIOONN
+     The krb5_address structure holds a address that can be used in Kerberos
+     API calls. There are help functions to set and extract address informa-
+     tion of the address.
+
+     The krb5_addresses structure holds a set of krb5_address:es.
+
+     kkrrbb55__ssoocckkaaddddrr22aaddddrreessss() stores a address a struct sockaddr _s_a in the
+     krb5_address _a_d_d_r.
+
+     kkrrbb55__ssoocckkaaddddrr22ppoorrtt() extracts a _p_o_r_t (if possible) from a struct sockaddr
+     _s_a.
+
+     kkrrbb55__aaddddrr22ssoocckkaaddddrr() sets the struct sockaddr _s_o_c_k_a_d_d_r from _a_d_d_r and
+     _p_o_r_t. _S_a___s_i_z_e should be initially contain the size of the _s_a, and after
+     the call, it will contain the actual length of the address.
+
+     kkrrbb55__mmaaxx__ssoocckkaaddddrr__ssiizzee() returns the max size of the struct sockaddr that
+     the Kerberos library will return.
+
+     kkrrbb55__ssoocckkaaddddrr__uunniinntteerreessttiinngg() returns TRUE for all _s_a that for that the
+     kerberos library thinks are uninteresting.  One example are link local
+     addresses.
+
+     kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr() initializes a struct sockaddr _s_a from _a_f and the
+     struct hostent (see gethostbyname(3))  _h___a_d_d_r___l_i_s_t component.  _S_a___s_i_z_e
+     should be initially contain the size of the _s_a, and after the call, it
+     will contain the actual length of the address.  _s_a argument.
+
+     kkrrbb55__hh__aaddddrr22aaddddrr() works like kkrrbb55__hh__aaddddrr22ssoocckkaaddddrr() with the exception
+     that it operates on a krb5_address instead of a struct sockaddr
+
+     kkrrbb55__aannyyaaddddrr() fills in a struct sockaddr _s_a that can be used to to.
+     _S_a___s_i_z_e should be initially contain the size of the _s_a, and after the
+     call, it will contain the actual length of the address.
+
+     kkrrbb55__pprriinntt__aaddddrreessss() prints the address in _a_d_d_r to the a string _s_t_r_i_n_g
+     that have the length _l_e_n. If _r_e_t___l_e_n if not NULL, it will be filled in
+     length of the string.
+
+     kkrrbb55__ppaarrssee__aaddddrreessss() Returns the resolving a hostname in _s_t_r_i_n_g to the
+     krb5_addresses _a_d_d_r_e_s_s_e_s.
+
+
+     kkrrbb55__aaddddrreessss__oorrddeerr() compares to addresses _a_d_d_r_1 and _a_d_d_r_2 so that it can
+     be used for sorting addresses. If the addresses are the same address
+     _k_r_b_5___a_d_d_r_e_s_s___o_r_d_e_r _w_i_l_l _b_e _r_e_t_u_r_n _0_.
+
+     kkrrbb55__aaddddrreessss__ccoommppaarree() compares the addresses _a_d_d_r_1 and _a_d_d_r_2. returns
+     TRUE if the two addresses are the same.
+
+     kkrrbb55__aaddddrreessss__sseeaarrcchh() checks if the address _a_d_d_r is a member of the ad-
+     dress set list _a_d_d_r_l_i_s_t.
+
+     kkrrbb55__ffrreeee__aaddddrreessss() frees the data stored in the _a_d_d_r_e_s_s that is alloced
+     with any of the krb5_address functions.
+
+     kkrrbb55__ffrreeee__aaddddrreesssseess() frees the data stored in the _a_d_d_r_e_s_s_e_s that is al-
+     loced with any of the krb5_address functions.
+
+     kkrrbb55__ccooppyy__aaddddrreessss() copies the content of address _i_n_a_d_d_r to _o_u_t_a_d_d_r.
+
+     kkrrbb55__ccooppyy__aaddddrreesssseess() copies the content of the address list _i_n_a_d_d_r to
+     _o_u_t_a_d_d_r.
+
+     kkrrbb55__aappppeenndd__aaddddrreesssseess() adds the set of addresses in _s_o_u_r_c_e to _d_e_s_t.
+     While copying the addresses, duplicates are also sorted out.
+
+     kkrrbb55__mmaakkee__aaddddrrppoorrtt() allocates and creates an krb5_address in _r_e_s of type
+     KRB5_ADDRESS_ADDRPORT from (_a_d_d_r, _p_o_r_t).
+
+SSEEEE AALLSSOO
+     krb5(3),  krb5.conf(5),  kerberos(8)
+
+ HEIMDAL                        March 11, 2002                               3
diff --git a/kerberosV/src/lib/krb5/krb5_aname_to_localname.cat3 b/kerberosV/src/lib/krb5/krb5_aname_to_localname.cat3
new file mode 100644
index 00000000000..5a662c8b379
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_aname_to_localname.cat3
@@ -0,0 +1,37 @@
+
+KRB5_ANAME_TO_LOCALNAME(3) UNIX Programmer's Manual KRB5_ANAME_TO_LOCALNAME(3)
+
+NNAAMMEE
+     kkrrbb55__aannaammee__ttoo__llooccaallnnaammee - converts a principal to a system local name.
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__aannaammee__ttoo__llooccaallnnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _n_a_m_e,
+             _s_i_z_e___t _l_n_s_i_z_e, _c_h_a_r _*_l_n_a_m_e)
+
+DDEESSCCRRIIPPTTIIOONN
+     This function takes a principal _n_a_m_e, verifies its in the local realm
+     (using kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss()) and then returns the local name of the
+     principal.
+
+     If _n_a_m_e isn't in one of the local realms and error is returned.
+
+     If size (_l_n_s_i_z_e) of the local name (_l_n_a_m_e) is to small, an error is re-
+     turned.
+
+     kkrrbb55__aannaammee__ttoo__llooccaallnnaammee() should only be use by application that imple-
+     ments protocols that doesn't transport the login name and thus needs to
+     convert a principal to a local name.
+
+     Protocols should be designed so that the it autheticates using Kerberos,
+     send over the login name and then verifies in the principal that authen-
+     ticated is allowed to login and the login name.  A way to check if a user
+     is allowed to login is using the function kkrrbb55__kkuusseerrookk().
+
+SSEEEE AALLSSOO
+     krb5_get_default_realms(3),  krb5_kuserok(3)
+
+ HEIMDAL                        March 17, 2003                               1
diff --git a/kerberosV/src/lib/krb5/krb5_appdefault.cat3 b/kerberosV/src/lib/krb5/krb5_appdefault.cat3
new file mode 100644
index 00000000000..0b5f485d958
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_appdefault.cat3
@@ -0,0 +1,55 @@
+
+KRB5_APPDEFAULT(3)         UNIX Programmer's Manual         KRB5_APPDEFAULT(3)
+
+NNAAMMEE
+     kkrrbb55__aappppddeeffaauulltt__bboooolleeaann, kkrrbb55__aappppddeeffaauulltt__ssttrriinngg, kkrrbb55__aappppddeeffaauulltt__ttiimmee -
+     get application configuration value
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _v_o_i_d
+     kkrrbb55__aappppddeeffaauulltt__bboooolleeaann(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e,
+             _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _k_r_b_5___b_o_o_l_e_a_n _d_e_f___v_a_l,
+             _k_r_b_5___b_o_o_l_e_a_n _*_r_e_t___v_a_l)
+
+     _v_o_i_d
+     kkrrbb55__aappppddeeffaauulltt__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e,
+             _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _c_o_n_s_t _c_h_a_r _*_d_e_f___v_a_l,
+             _c_h_a_r _*_*_r_e_t___v_a_l)
+
+     _v_o_i_d
+     kkrrbb55__aappppddeeffaauulltt__ttiimmee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_a_p_p_n_a_m_e,
+             _k_r_b_5___r_e_a_l_m _r_e_a_l_m, _c_o_n_s_t _c_h_a_r _*_o_p_t_i_o_n, _t_i_m_e___t _d_e_f___v_a_l,
+             _t_i_m_e___t _*_r_e_t___v_a_l)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions get application defaults from the appdefaults section of
+     the krb5.conf(5) configuration file. These defaults can be specified per
+     application, and/or per realm.
+
+     These values will be looked for in krb5.conf(5),  in order of descending
+     importance.
+
+           [appdefaults]
+                   appname = {
+                           realm = {
+                                   option = value
+                           }
+                   }
+                   appname = {
+                           option = value
+                   }
+                   realm = {
+                           option = value
+                   }
+                   option = value
+     _a_p_p_n_a_m_e is the name of the application, and _r_e_a_l_m is the realm name. If
+     the realm is omitted it will not be used for resolving values.  _d_e_f___v_a_l
+     is the value to return if no value is found in krb5.conf(5).
+
+SSEEEE AALLSSOO
+     krb5_config(3),  krb5.conf(5)
+
+ HEIMDAL                         July 25, 2000                               1
diff --git a/kerberosV/src/lib/krb5/krb5_auth_context.cat3 b/kerberosV/src/lib/krb5/krb5_auth_context.cat3
new file mode 100644
index 00000000000..025e739f459
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_auth_context.cat3
@@ -0,0 +1,167 @@
+
+KRB5_AUTH_CONTEXT(3)       UNIX Programmer's Manual       KRB5_AUTH_CONTEXT(3)
+
+NNAAMMEE
+     kkrrbb55__aauutthh__ccoonntteexxtt, kkrrbb55__aauutthh__ccoonn__iinniitt, kkrrbb55__aauutthh__ccoonn__ffrreeee,
+     kkrrbb55__aauutthh__ccoonn__sseettffllaaggss, kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss, kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss,
+     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd, kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss,
+     kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss, kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettkkeeyy,
+     kkrrbb55__aauutthh__ccoonn__ggeettuusseerrkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy,
+     kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy,
+     kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy,
+     kkrrbb55__aauutthh__sseettcckkssuummttyyppee, kkrrbb55__aauutthh__ggeettcckkssuummttyyppee, kkrrbb55__aauutthh__sseettkkeeyyttyyppee,
+     kkrrbb55__aauutthh__ggeettkkeeyyttyyppee, kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr,
+     kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr, kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr,
+     kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr, kkrrbb55__aauutthh__ggeettaauutthheennttiiccaattoorr,
+     kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee, kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee,
+     kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr, kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr - manage authentica-
+     tion on connection level
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t)
+
+     _v_o_i_d
+     kkrrbb55__aauutthh__ccoonn__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _f_l_a_g_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _*_f_l_a_g_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_l_o_c_a_l___a_d_d_r,
+             _k_r_b_5___a_d_d_r_e_s_s _*_r_e_m_o_t_e___a_d_d_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_*_l_o_c_a_l___a_d_d_r,
+             _k_r_b_5___a_d_d_r_e_s_s _*_*_r_e_m_o_t_e___a_d_d_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t _f_d, _i_n_t _f_l_a_g_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _v_o_i_d _*_p___f_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___p_o_i_n_t_e_r _i_v_e_c_t_o_r)
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkrrbb55__aauutthh__ccoonntteexxtt structure holds all context related to an authenti-
+     cated connection, in a similar way to kkrrbb55__ccoonntteexxtt that holds the context
+     for the thread or process.  kkrrbb55__aauutthh__ccoonntteexxtt is used by various func-
+     tions that are directly related to authentication between the serv-
+     er/client. Example of data that this structure contains are various
+     flags, addresses of client and server, port numbers, keyblocks (and sub-
+     keys), sequence numbers, replay cache, and checksum-type.
+
+     kkrrbb55__aauutthh__ccoonn__iinniitt() allocates and initializes the kkrrbb55__aauutthh__ccoonntteexxtt
+     structure. Default values can be changed with
+     kkrrbb55__aauutthh__ccoonn__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ccoonn__sseettffllaaggss().  The
+     aauutthh__ccoonntteexxtt structure must be freed by kkrrbb55__aauutthh__ccoonn__ffrreeee().
+
+     kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss() and kkrrbb55__aauutthh__ccoonn__sseettffllaaggss() gets and modifies
+     the flags for a kkrrbb55__aauutthh__ccoonntteexxtt structure. Possible flags to set are:
+
+     KRB5_AUTH_CONTEXT_DO_TIME
+             check timestamp on incoming packets.
+
+     KRB5_AUTH_CONTEXT_DO_SEQUENCE
+             Generate and check sequence-number on each packet.
+
+     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(), kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() and
+     kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() gets and sets the addresses that are checked
+     when a packet is received.  It is mandatory to set an address for the re-
+     mote host. If the local address is not set, it iss deduced from the un-
+     derlaying operating system.  kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() will call
+     kkrrbb55__ffrreeee__aaddddrreessss() on any address that is passed in _l_o_c_a_l___a_d_d_r or
+     _r_e_m_o_t_e___a_d_d_r. kkrrbb55__aauutthh__ccoonn__sseettaaddddrr() allows passing in a NULL pointer as
+     _l_o_c_a_l___a_d_d_r and _r_e_m_o_t_e___a_d_d_r, in that case it will just not set that ad-
+     dress.
+
+     kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() fetches the addresses from a file de-
+     scriptor.
+
+     kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss() fetches the address information from the given
+     file descriptor _f_d depending on the bitmap argument _f_l_a_g_s.
+
+     Possible values on _f_l_a_g_s are:
+
+     _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___L_O_C_A_L___A_D_D_R
+             fetches the local address from _f_d.
+
+     _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___R_E_M_O_T_E___A_D_D_R
+             fetches the remote address from _f_d.
+
+     kkrrbb55__aauutthh__ccoonn__sseettkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() and
+     kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() gets and sets the key used for this auth context.
+     The keyblock returned by kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() should be freed with
+     kkrrbb55__ffrreeee__kkeeyybblloocckk().  The keyblock send into kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is
+     copied into the kkrrbb55__aauutthh__ccoonntteexxtt, and thus no special handling is need-
+     ed.  NULL is not a valid keyblock to kkrrbb55__aauutthh__ccoonn__sseettkkeeyy().
+
+     kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() is only useful when doing user to user authen-
+     tication.  kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is equivalent to
+     kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy().
+
+     kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy(),
+     kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() and kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy() gets
+     and sets the keyblock for the local and remote subkey. The keyblock re-
+     turned by kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy() and
+     kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() must be freed with kkrrbb55__ffrreeee__kkeeyybblloocckk().
+
+     kkrrbb55__aauutthh__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ggeettcckkssuummttyyppee() sets and gets the
+     checksum type that should be used for this connection.
+
+     kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr() kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr(),
+     kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr() and kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr() gets and
+     sets the sequence-number for the local and remote sequence-number
+     counter.
+
+     kkrrbb55__aauutthh__sseettkkeeyyttyyppee() and kkrrbb55__aauutthh__ggeettkkeeyyttyyppee() gets and gets the key-
+     type of the keyblock in kkrrbb55__aauutthh__ccoonntteexxtt.
+
+     kkrrbb55__aauutthh__ggeettaauutthheennttiiccaattoorr() Retrieves the authenticator that was used
+     during mutual authentication. The authenticator returned should be freed
+     by calling kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr().
+
+     kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee() and kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee() gets and sets the
+     replay-cache.
+
+     kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr() allocates memory for and zeros the initial
+     vector in the _a_u_t_h___c_o_n_t_e_x_t keyblock.
+
+     kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr() sets the i_vector portion of _a_u_t_h___c_o_n_t_e_x_t to
+     _i_v_e_c_t_o_r.
+
+SSEEEE AALLSSOO
+     krb5_context(3),  kerberos(8)
+
+ HEIMDAL                       January 21, 2001                              3
diff --git a/kerberosV/src/lib/krb5/krb5_build_principal.cat3 b/kerberosV/src/lib/krb5/krb5_build_principal.cat3
new file mode 100644
index 00000000000..087dd93eafd
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_build_principal.cat3
@@ -0,0 +1,58 @@
+
+KRB5_BUILD_PRINCIPAL(3)    UNIX Programmer's Manual    KRB5_BUILD_PRINCIPAL(3)
+
+NNAAMMEE
+     kkrrbb55__bbuuiilldd__pprriinncciippaall, kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt, kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa,
+     kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt, kkrrbb55__mmaakkee__pprriinncciippaall - principal creation
+     functions
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__bbuuiilldd__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
+             _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
+             _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
+             _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _v_a___l_i_s_t _a_p)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l, _i_n_t _r_e_a_l_m___l_e_n, _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m,
+             _v_a___l_i_s_t _a_p)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__mmaakkee__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l,
+             _k_r_b_5___c_o_n_s_t___r_e_a_l_m _r_e_a_l_m, _._._.)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions create a Kerberos 5 principal from a realm and a list of
+     components.  All of these functions return an allocated principal in the
+     _p_r_i_n_c_i_p_a_l parameter, this should be freed with kkrrbb55__ffrreeee__pprriinncciippaall() af-
+     ter use.
+
+     The ``build'' functions take a _r_e_a_l_m and the length of the realm.  The
+     kkrrbb55__bbuuiilldd__pprriinncciippaall() and kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa() also takes a list of
+     components (zero-terminated strings), terminated with NULL. The
+     kkrrbb55__bbuuiilldd__pprriinncciippaall__eexxtt() and kkrrbb55__bbuuiilldd__pprriinncciippaall__vvaa__eexxtt() takes a list
+     of length-value pairs, the list is terminated with a zero length.
+
+     The kkrrbb55__mmaakkee__pprriinncciippaall() is a wrapper around kkrrbb55__bbuuiilldd__pprriinncciippaall().  If
+     the realm is NULL, the default realm will be used.
+
+BBUUGGSS
+     You can not have a NUL in a component. Until someone can give a good ex-
+     ample of where it would be a good idea to have NUL's in a component, this
+     will not be fixed.
+
+SSEEEE AALLSSOO
+     krb5_425_conv_principal(3),  krb5_free_principal(3),  krb5_parse_name(3),
+      krb5_sname_to_principal(3),  krb5_unparse_name(3)
+
+ HEIMDAL                        August 8, 1997                               1
diff --git a/kerberosV/src/lib/krb5/krb5_ccache.cat3 b/kerberosV/src/lib/krb5/krb5_ccache.cat3
new file mode 100644
index 00000000000..19624ffb117
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_ccache.cat3
@@ -0,0 +1,176 @@
+
+KRB5_CCACHE(3)             UNIX Programmer's Manual             KRB5_CCACHE(3)
+
+NNAAMMEE
+     kkrrbb55__ccccaacchhee, kkrrbb55__cccc__ccuurrssoorr, kkrrbb55__cccc__ooppss, kkrrbb55__ffcccc__ooppss, kkrrbb55__mmcccc__ooppss,
+     kkrrbb55__cccc__cclloossee, kkrrbb55__cccc__ccooppyy__ccaacchhee, kkrrbb55__cccc__ddeeffaauulltt, kkrrbb55__cccc__ddeeffaauulltt__nnaammee,
+     kkrrbb55__cccc__ddeessttrrooyy, kkrrbb55__cccc__eenndd__sseeqq__ggeett, kkrrbb55__cccc__ggeenn__nneeww, kkrrbb55__cccc__ggeett__nnaammee,
+     kkrrbb55__cccc__ggeett__pprriinncciippaall, kkrrbb55__cccc__ggeett__ttyyppee, kkrrbb55__cccc__ggeett__ooppss,
+     kkrrbb55__cccc__ggeett__vveerrssiioonn, kkrrbb55__cccc__iinniittiiaalliizzee, kkrrbb55__cccc__rreeggiisstteerr,
+     kkrrbb55__cccc__rreessoollvvee, kkrrbb55__cccc__rreettrriieevvee__ccrreedd, kkrrbb55__cccc__rreemmoovvee__ccrreedd,
+     kkrrbb55__cccc__sseett__ddeeffaauulltt__nnaammee, kkrrbb55__cccc__ssttoorree__ccrreedd, kkrrbb55__cccc__sseett__ffllaaggss,
+     kkrrbb55__cccc__nneexxtt__ccrreedd - mange credential cache.
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     struct krb5_ccache;
+
+     struct krb5_cc_cursor;
+
+     struct krb5_cc_ops;
+
+     struct krb5_cc_ops *krb5_fcc_ops;
+
+     struct krb5_cc_ops *krb5_mcc_ops;
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__cclloossee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__ccooppyy__ccaacchhee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _f_r_o_m,
+             _k_r_b_5___c_c_a_c_h_e _t_o)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _*_i_d)
+
+     _c_o_n_s_t _c_h_a_r _*
+     kkrrbb55__cccc__ddeeffaauulltt__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__ddeessttrrooyy(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__eenndd__sseeqq__ggeett(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _i_d,
+             _k_r_b_5___c_c___c_u_r_s_o_r _*_c_u_r_s_o_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__ggeenn__nneeww(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c___o_p_s _*_o_p_s,
+             _k_r_b_5___c_c_a_c_h_e _*_i_d)
+
+     _c_o_n_s_t _c_h_a_r _*
+     kkrrbb55__cccc__ggeett__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__ggeett__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d,
+             _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l)
+
+     _c_o_n_s_t _c_h_a_r _*
+     kkrrbb55__cccc__ggeett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d)
+
+     _c_o_n_s_t _k_r_b_5___c_c___o_p_s _*
+     kkrrbb55__cccc__ggeett__ooppss(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d)
+
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__ggeett__vveerrssiioonn(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _i_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__iinniittiiaalliizzee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d,
+             _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_m_a_r_y___p_r_i_n_c_i_p_a_l)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__rreeggiisstteerr(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c___o_p_s _*_o_p_s,
+             _k_r_b_5___b_o_o_l_e_a_n _o_v_e_r_r_i_d_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__rreessoollvvee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, _k_r_b_5___c_c_a_c_h_e _*_i_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__rreettrriieevvee__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d,
+             _k_r_b_5___f_l_a_g_s _w_h_i_c_h_f_i_e_l_d_s, _c_o_n_s_t _k_r_b_5___c_r_e_d_s _*_m_c_r_e_d_s,
+             _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__rreemmoovvee__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d,
+             _k_r_b_5___f_l_a_g_s _w_h_i_c_h, _k_r_b_5___c_r_e_d_s _*_c_r_e_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__sseett__ddeeffaauulltt__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__ssttoorree__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _i_d,
+             _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__sseett__ffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _k_r_b_5___c_c___s_e_t___f_l_a_g_s _i_d,
+             _k_r_b_5___f_l_a_g_s _f_l_a_g_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cccc__nneexxtt__ccrreedd(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___c_c_a_c_h_e _i_d,
+             _k_r_b_5___c_c___c_u_r_s_o_r _*_c_u_r_s_o_r, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s)
+
+DDEESSCCRRIIPPTTIIOONN
+     The krb5_ccache structure holds a Kerberos credential cache.
+
+     The krb5_cc_cursor structure holds current position in a credential cache
+     when iterating over the cache.
+
+     The krb5_cc_ops structure holds a set of operations that can me preformed
+     on a credential cache.
+
+     There is no component inside krb5_ccache, krb5_cc_cursor nor krb5_fcc_ops
+     that is directly referable.
+
+     The krb5_creds holds a Kerberos credential, see manpage for
+     krb5_creds(3).
+
+     kkrrbb55__cccc__ddeeffaauulltt__nnaammee() and kkrrbb55__cccc__sseett__ddeeffaauulltt__nnaammee() gets and sets the
+     default name for the _c_o_n_t_e_x_t.
+
+     kkrrbb55__cccc__ddeeffaauulltt() opens the default ccache in _i_d. Return 0 or an error
+     code.
+
+     kkrrbb55__cccc__ggeenn__nneeww() generates a new ccache of type _o_p_s in _i_d. Return 0 or
+     an error code.
+
+     kkrrbb55__cccc__rreessoollvvee() finds and allocates a ccache in _i_d from the specifica-
+     tion in _r_e_s_i_d_u_a_l. If the ccache name doesn't contain any colon (:), in-
+     terpret it as a file name.  Return 0 or an error code.
+
+
+     kkrrbb55__cccc__iinniittiiaalliizzee() creates a new ccache in _i_d for _p_r_i_m_a_r_y___p_r_i_n_c_i_p_a_l.
+     Return 0 or an error code.
+
+     kkrrbb55__cccc__cclloossee() stops using the ccache _i_d and frees the related re-
+     sources.  Return 0 or an error code.  kkrrbb55__cccc__ddeessttrrooyy() removes the
+     ccache and closes (by calling kkrrbb55__cccc__cclloossee()) _i_d. Return 0 or an error
+     code.
+
+     kkrrbb55__cccc__ccooppyy__ccaacchhee() copys the contents of _f_r_o_m to _t_o.
+
+     kkrrbb55__cccc__ggeett__nnaammee() returns the name of the ccache _i_d.
+
+     kkrrbb55__cccc__ggeett__pprriinncciippaall() returns the principal of _i_d in _p_r_i_n_c_i_p_a_l. Return
+     0 or an error code.
+
+     kkrrbb55__cccc__ggeett__ttyyppee() returns the type of the ccache _i_d.
+
+     kkrrbb55__cccc__ggeett__ooppss() returns the ops of the ccache _i_d.
+
+     kkrrbb55__cccc__ggeett__vveerrssiioonn() returns the version of _i_d.
+
+     kkrrbb55__cccc__rreeggiisstteerr() Adds a new ccache type with operations _o_p_s, overwrit-
+     ing any existing one if _o_v_e_r_r_i_d_e. Return an error code or 0.
+
+     kkrrbb55__cccc__rreemmoovvee__ccrreedd() removes the credential identified by (_c_r_e_d, _w_h_i_c_h)
+     from _i_d.
+
+     kkrrbb55__cccc__ssttoorree__ccrreedd() stores _c_r_e_d_s in the ccache _i_d. Return 0 or an error
+     code.
+
+     kkrrbb55__cccc__sseett__ffllaaggss() sets the flags of _i_d to _f_l_a_g_s.
+
+     kkrrbb55__cccc__rreettrriieevvee__ccrreedd(), retrieves the credential identified by _m_c_r_e_d_s
+     (and _w_h_i_c_h_f_i_e_l_d_s) from _i_d in _c_r_e_d_s. Return 0 or an error code.
+
+     kkrrbb55__cccc__nneexxtt__ccrreedd() retrieves the next cred pointed to by (_i_d, _c_u_r_s_o_r) in
+     _c_r_e_d_s, and advance _c_u_r_s_o_r. Return 0 or an error code.
+
+     kkrrbb55__cccc__eenndd__sseeqq__ggeett() Destroys the cursor _c_u_r_s_o_r.
+
+SSEEEE AALLSSOO
+     krb5(3),  krb5.conf(5),  kerberos(8)
+
+ HEIMDAL                        March 16, 2003                               3
diff --git a/kerberosV/src/lib/krb5/krb5_config.cat3 b/kerberosV/src/lib/krb5/krb5_config.cat3
new file mode 100644
index 00000000000..9b8bab29535
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_config.cat3
@@ -0,0 +1,57 @@
+
+KRB5_CONFIG(3)             UNIX Programmer's Manual             KRB5_CONFIG(3)
+
+NNAAMMEE
+     kkrrbb55__ccoonnffiigg__ggeett__bbooooll__ddeeffaauulltt, kkrrbb55__ccoonnffiigg__ggeett__iinntt__ddeeffaauulltt,
+     kkrrbb55__ccoonnffiigg__ggeett__ssttrriinngg__ddeeffaauulltt, kkrrbb55__ccoonnffiigg__ggeett__ttiimmee__ddeeffaauulltt - get con-
+     figuration value
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__ccoonnffiigg__ggeett__bbooooll__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c, _k_r_b_5___b_o_o_l_e_a_n _d_e_f___v_a_l_u_e, _._._.)
+
+     _i_n_t
+     kkrrbb55__ccoonnffiigg__ggeett__iinntt__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c,
+             _i_n_t _d_e_f___v_a_l_u_e, _._._.)
+
+     _c_o_n_s_t _c_h_a_r_*
+     kkrrbb55__ccoonnffiigg__ggeett__ssttrriinngg__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c, _c_o_n_s_t _c_h_a_r _*_d_e_f___v_a_l_u_e, _._._.)
+
+     _i_n_t
+     kkrrbb55__ccoonnffiigg__ggeett__ttiimmee__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___c_o_n_f_i_g___s_e_c_t_i_o_n _*_c, _i_n_t _d_e_f___v_a_l_u_e, _._._.)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions get values from the krb5.conf(5) configuration file, or
+     another configuration database specified by the _c parameter.
+
+     The variable arguments should be a list of strings naming each subsection
+     to look for. For example:
+
+           krb5_config_get_bool_default(context, NULL, FALSE, "libdefaults", "log_utc", NULL)
+
+     gets the boolean value for the log_utc option, defaulting to FALSE.
+
+     kkrrbb55__ccoonnffiigg__ggeett__bbooooll__ddeeffaauulltt() will convert the option value to a boolean
+     value, where `yes', `true', and any non-zero number means TRUE, and any
+     other value FALSE.
+
+     kkrrbb55__ccoonnffiigg__ggeett__iinntt__ddeeffaauulltt() will convert the value to an integer.
+
+     kkrrbb55__ccoonnffiigg__ggeett__ttiimmee__ddeeffaauulltt() will convert the value to a period of time
+     (not a time stamp) in seconds, so the string `2 weeks' will be converted
+     to 1209600 (2 * 7 * 24 * 60 * 60).
+
+BBUUGGSS
+     Other than for the string case, there's no way to tell whether there was
+     a value specified or not.
+
+SSEEEE AALLSSOO
+     krb5_appdefault(3),  krb5.conf(5)
+
+ HEIMDAL                         July 25, 2000                               1
diff --git a/kerberosV/src/lib/krb5/krb5_context.cat3 b/kerberosV/src/lib/krb5/krb5_context.cat3
new file mode 100644
index 00000000000..0f8abc1b98e
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_context.cat3
@@ -0,0 +1,19 @@
+
+KRB5_CONTEXT(3)            UNIX Programmer's Manual            KRB5_CONTEXT(3)
+
+NNAAMMEE
+     kkrrbb55__ccoonntteexxtt - krb5 state structure
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkrrbb55__ccoonntteexxtt structure is designed to hold all per thread state. All
+     global variables that are context specific are stored in this structure,
+     including default encryption types, credentials-cache (ticket file), and
+     default realms.
+
+     The internals of the structure should never be accessed directly, func-
+     tions exist for extracting information.
+
+SSEEEE AALLSSOO
+     krb5_init_context(3),  kerberos(8)
+
+ HEIMDAL                       January 21, 2001                              1
diff --git a/kerberosV/src/lib/krb5/krb5_create_checksum.cat3 b/kerberosV/src/lib/krb5/krb5_create_checksum.cat3
new file mode 100644
index 00000000000..9a0d1d99090
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_create_checksum.cat3
@@ -0,0 +1,52 @@
+
+NAME(3)                    UNIX Programmer's Manual                    NAME(3)
+
+NNAAMMEE
+     kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff, kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd,
+     kkrrbb55__cchheecckkssuummssiizzee, kkrrbb55__ccrreeaattee__cchheecckkssuumm, kkrrbb55__vveerriiffyy__cchheecckkssuumm - creates
+     and verifies checksums
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ccrreeaattee__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
+             _u_n_s_i_g_n_e_d _u_s_a_g_e___o_r___t_y_p_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _C_h_e_c_k_s_u_m _*_r_e_s_u_l_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vveerriiffyy__cchheecckkssuumm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
+             _k_r_b_5___k_e_y___u_s_a_g_e _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _C_h_e_c_k_s_u_m _*_c_k_s_u_m)
+
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e)
+
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_k_s_u_m_t_y_p_e _t_y_p_e)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions are used to create and verify checksums.
+     kkrrbb55__ccrreeaattee__cchheecckkssuumm() creates a checksum of the specified data, and puts
+     it in _r_e_s_u_l_t. If _c_r_y_p_t_o is NULL, _u_s_a_g_e___o_r___t_y_p_e specifies the checksum
+     type to use; it must not be keyed. Otherwise _c_r_y_p_t_o is an encryption con-
+     text created by kkrrbb55__ccrryyppttoo__iinniitt(), and _u_s_a_g_e___o_r___t_y_p_e specifies a key-us-
+     age.
+
+     kkrrbb55__vveerriiffyy__cchheecckkssuumm() verifies the _c_h_e_c_k_s_u_m, against the provided data.
+
+     kkrrbb55__cchheecckkssuumm__iiss__ccoolllliissiioonn__pprrooooff() returns true is the specified checksum
+     is collision proof (that it's very unlikely that two strings has the same
+     hash value, and that it's hard to find two strings that has the same
+     hash). Examples of collision proof checksums are MD5, and SHA1, while
+     CRC32 is not.
+
+     kkrrbb55__cchheecckkssuumm__iiss__kkeeyyeedd() returns true if the specified checksum type is
+     keyed (that the hash value is a function of both the data, and a separate
+     key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-
+     MD5-DES. The ``plain'' hash functions MD5, and SHA1 are not keyed.
+
+SSEEEE AALLSSOO
+     krb5_crypto_init(3),  krb5_encrypt(3)
+
+ HEIMDAL                         April 7, 1999                               1
diff --git a/kerberosV/src/lib/krb5/krb5_crypto_init.cat3 b/kerberosV/src/lib/krb5/krb5_crypto_init.cat3
new file mode 100644
index 00000000000..f59863aa021
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_crypto_init.cat3
@@ -0,0 +1,32 @@
+
+NAME(3)                    UNIX Programmer's Manual                    NAME(3)
+
+NNAAMMEE
+     kkrrbb55__ccrryyppttoo__iinniitt, kkrrbb55__ccrryyppttoo__ddeessttrrooyy - initialize encryption context
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ccrryyppttoo__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_k_e_y,
+             _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e, _k_r_b_5___c_r_y_p_t_o _*_c_r_y_p_t_o)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ccrryyppttoo__ddeessttrrooyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions are used to initialize an encryption context that can be
+     used to encrypt or checksum data.
+
+     The kkrrbb55__ccrryypptt__iinniitt() initializes the encrytion context _c_r_y_p_t_o. The _k_e_y
+     parameter is the key to use for encryption, and checksums. The encryption
+     type to use is taken from the key, but can be overridden with the _e_n_c_t_y_p_e
+     _p_a_r_a_m_e_t_e_r.
+
+     kkrrbb55__ccrryyppttoo__ddeessttrrooyy() frees a previously allocated encrypion context.
+
+SSEEEE AALLSSOO
+     krb5_create_checksum(3),  krb5_encrypt(3)
+
+ HEIMDAL                         April 7, 1999                               1
diff --git a/kerberosV/src/lib/krb5/krb5_data.cat3 b/kerberosV/src/lib/krb5/krb5_data.cat3
new file mode 100644
index 00000000000..70aa5e247a1
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_data.cat3
@@ -0,0 +1,71 @@
+
+KRB5_DATA(3)               UNIX Programmer's Manual               KRB5_DATA(3)
+
+NNAAMMEE
+     kkrrbb55__ddaattaa kkrrbb55__ddaattaa__zzeerroo kkrrbb55__ddaattaa__ffrreeee kkrrbb55__ffrreeee__ddaattaa__ccoonntteennttss
+     kkrrbb55__ffrreeee__ddaattaa kkrrbb55__ddaattaa__aalllloocc kkrrbb55__ddaattaa__rreeaalllloocc kkrrbb55__ddaattaa__ccooppyy
+     kkrrbb55__ccooppyy__ddaattaa - operates on the Kerberos datatype krb5_data.
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     struct krb5_data; _v_o_i_d
+     kkrrbb55__ddaattaa__zzeerroo(_k_r_b_5___d_a_t_a _*_p)
+
+     _v_o_i_d
+     kkrrbb55__ddaattaa__ffrreeee(_k_r_b_5___d_a_t_a _*_p)
+
+     _v_o_i_d
+     kkrrbb55__ffrreeee__ddaattaa__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_a_t_a _*_p)
+
+     _v_o_i_d
+     kkrrbb55__ffrreeee__ddaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___d_a_t_a _*_p)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ddaattaa__aalllloocc(_k_r_b_5___d_a_t_a _*_p, _i_n_t _l_e_n)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ddaattaa__rreeaalllloocc(_k_r_b_5___d_a_t_a _*_p, _i_n_t _l_e_n)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ddaattaa__ccooppyy(_k_r_b_5___d_a_t_a _*_p, _c_o_n_s_t _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ccooppyy__ddaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___d_a_t_a _*_i_n_d_a_t_a,
+             _k_r_b_5___d_a_t_a _*_*_o_u_t_d_a_t_a)
+
+DDEESSCCRRIIPPTTIIOONN
+     The krb5_data structure holds a data element.  The structure contains two
+     public accessible elements _l_e_n_g_t_h (the length of data) and _d_a_t_a (the data
+     itself).  The structure must always be initiated and freed by the func-
+     tions documented in this manual.
+
+     kkrrbb55__ddaattaa__zzeerroo() resets the content of _p.
+
+     kkrrbb55__ddaattaa__ffrreeee() free the data in _p.
+
+     kkrrbb55__ffrreeee__ddaattaa__ccoonntteennttss() works the same way as _k_r_b_5___d_a_t_a___f_r_e_e. The
+     diffrence is that krb5_free_data_contents is more portable (exists in MIT
+     api).
+
+     kkrrbb55__ffrreeee__ddaattaa() frees the data in _p and _p itself .
+
+     kkrrbb55__ddaattaa__aalllloocc() allocates _l_e_n bytes in _p Returns 0 or an error.
+
+     kkrrbb55__ddaattaa__rreeaalllloocc() reallocates the length of _p to the length in _l_e_n. Re-
+     turns 0 or an error.
+
+     kkrrbb55__ddaattaa__ccooppyy() copies the _d_a_t_a that have the length _l_e_n into _p. _p is
+     not freed so the calling function should make sure the _p doesn't contain
+     anything needs to be freed.  Returns 0 or an error.
+
+     kkrrbb55__ccooppyy__ddaattaa() copies the krb5_data in _i_n_d_a_t_a to _o_u_t_d_a_t_a. _o_u_t_d_a_t_a is
+     not freed so the calling function should make sure the _o_u_t_d_a_t_a doesn't
+     contain anything needs to be freed.  _o_u_t_d_a_t_a should be freed using
+     kkrrbb55__ffrreeee__ddaattaa().  Returns 0 or an error.
+
+SSEEEE AALLSSOO
+     krb5(3),  krb5_storage(3),  kerberos(8)
+
+ HEIMDAL                        March 20, 2003                               2
diff --git a/kerberosV/src/lib/krb5/krb5_encrypt.cat3 b/kerberosV/src/lib/krb5/krb5_encrypt.cat3
new file mode 100644
index 00000000000..0188acd39e2
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_encrypt.cat3
@@ -0,0 +1,44 @@
+
+KRB5_ENCRYPT(3)            UNIX Programmer's Manual            KRB5_ENCRYPT(3)
+
+NNAAMMEE
+     kkrrbb55__ddeeccrryypptt, kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa, kkrrbb55__eennccrryypptt,
+     kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa - encrypt and decrypt data
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__eennccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, _u_n_s_i_g_n_e_d _u_s_a_g_e,
+             _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
+             _u_n_s_i_g_n_e_d _u_s_a_g_e, _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _i_n_t _k_v_n_o,
+             _E_n_c_r_y_p_t_e_d_D_a_t_a _*_r_e_s_u_l_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ddeeccrryypptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o, _u_n_s_i_g_n_e_d _u_s_a_g_e,
+             _v_o_i_d _*_d_a_t_a, _s_i_z_e___t _l_e_n, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_y_p_t_o _c_r_y_p_t_o,
+             _u_n_s_i_g_n_e_d _u_s_a_g_e, _E_n_c_r_y_p_t_e_d_D_a_t_a _*_e, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions are used to encrypt and decrypt data.
+
+     kkrrbb55__eennccrryypptt() puts the encrypted version of _d_a_t_a (of size _l_e_n) in
+     _r_e_s_u_l_t. If the encryption type supports using derived keys, _u_s_a_g_e should
+     be the appropriate key-usage.  kkrrbb55__eennccrryypptt__EEnnccrryypptteeddDDaattaa() does the same
+     as kkrrbb55__eennccrryypptt(), but it puts the encrypted data in a _E_n_c_r_y_p_t_e_d_D_a_t_a
+     structure instead. If _k_v_n_o is not zero, it will be put in the _k_v_n_o _f_i_e_l_d
+     _i_n _t_h_e _E_n_c_r_y_p_t_e_d_D_a_t_a.
+
+     kkrrbb55__ddeeccrryypptt(), and kkrrbb55__ddeeccrryypptt__EEnnccrryypptteeddDDaattaa() works similarly.
+
+SSEEEE AALLSSOO
+     krb5_create_checksum(3),  krb5_crypto_init(3)
+
+ HEIMDAL                         April 7, 1999                               1
diff --git a/kerberosV/src/lib/krb5/krb5_free_addresses.cat3 b/kerberosV/src/lib/krb5/krb5_free_addresses.cat3
new file mode 100644
index 00000000000..4bf75c35f48
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_free_addresses.cat3
@@ -0,0 +1,21 @@
+
+KRB5_FREE_ADDRESSES(3)     UNIX Programmer's Manual     KRB5_FREE_ADDRESSES(3)
+
+NNAAMMEE
+     kkrrbb55__ffrreeee__aaddddrreesssseess - free list of addresses
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _v_o_i_d
+     kkrrbb55__ffrreeee__aaddddrreesssseess(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_e_s_s_e_s)
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkrrbb55__ffrreeee__aaddddrreesssseess() will free a list of addresses that has been
+     created with kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss() or with some other function.
+
+SSEEEE AALLSSOO
+     krb5_get_all_client_addrs(3)
+
+ HEIMDAL                       November 20, 2001                             1
diff --git a/kerberosV/src/lib/krb5/krb5_free_principal.cat3 b/kerberosV/src/lib/krb5/krb5_free_principal.cat3
new file mode 100644
index 00000000000..91aa5319cc7
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_free_principal.cat3
@@ -0,0 +1,23 @@
+
+KRB5_FREE_PRINCIPAL(3)     UNIX Programmer's Manual     KRB5_FREE_PRINCIPAL(3)
+
+NNAAMMEE
+     kkrrbb55__ffrreeee__pprriinncciippaall - principal free function
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _v_o_i_d
+     kkrrbb55__ffrreeee__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l)
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkrrbb55__ffrreeee__pprriinncciippaall() will free a principal that has been created
+     with kkrrbb55__bbuuiilldd__pprriinncciippaall(), kkrrbb55__ppaarrssee__nnaammee(), or with some other func-
+     tion.
+
+SSEEEE AALLSSOO
+     krb5_425_conv_principal(3),  krb5_build_principal(3),
+     krb5_parse_name(3),  krb5_sname_to_principal(3),  krb5_unparse_name(3)
+
+ HEIMDAL                        August 8, 1997                               1
diff --git a/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.cat3 b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.cat3
new file mode 100644
index 00000000000..4093b1a9862
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.cat3
@@ -0,0 +1,37 @@
+
+KRB5_GET_ADDRS(3)          UNIX Programmer's Manual          KRB5_GET_ADDRS(3)
+
+NNAAMMEE
+     kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss, kkrrbb55__ggeett__aallll__sseerrvveerr__aaddddrrss - return local ad-
+     dresses
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__aallll__cclliieenntt__aaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__aallll__sseerrvveerr__aaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s_e_s _*_a_d_d_r_s)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions return in _a_d_d_r_s a list of addresses associated with the
+     local host.
+
+     The server variant returns all configured interface addresses (if possi-
+     ble), including loop-back addresses. This is useful if you want to create
+     sockets to listen to.
+
+     The client version will also scan local interfaces (can be turned off by
+     setting libdefaults/scan_interfaces to false in _k_r_b_5_._c_o_n_f), but will not
+     include loop-back addresses, unless there are no other addresses found.
+     It will remove all addresses included in libdefaults/ignore_addresses but
+     will unconditionally include addresses in libdefaults/extra_addresses.
+
+     The returned addresses should be freed by calling kkrrbb55__ffrreeee__aaddddrreesssseess().
+
+SSEEEE AALLSSOO
+     krb5_free_addresses(3)
+
+                                 July 1, 2001                                1
diff --git a/kerberosV/src/lib/krb5/krb5_get_krbhst.cat3 b/kerberosV/src/lib/krb5/krb5_get_krbhst.cat3
new file mode 100644
index 00000000000..493b55284f2
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_get_krbhst.cat3
@@ -0,0 +1,54 @@
+
+KRB5_GET_KRBHST(3)         UNIX Programmer's Manual         KRB5_GET_KRBHST(3)
+
+NNAAMMEE
+     kkrrbb55__ggeett__kkrrbbhhsstt kkrrbb55__ggeett__kkrrbb__aaddmmiinn__hhsstt kkrrbb55__ggeett__kkrrbb__cchhaannggeeppww__hhsstt
+     kkrrbb55__ggeett__kkrrbb552244hhsstt kkrrbb55__ffrreeee__kkrrbbhhsstt - lookup Kerberos KDC hosts
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__kkrrbbhhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
+             _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__kkrrbb__aaddmmiinn__hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
+             _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__kkrrbb__cchhaannggeeppww__hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
+             _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__kkrrbb552244hhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m,
+             _c_h_a_r _*_*_*_h_o_s_t_l_i_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ffrreeee__kkrrbbhhsstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_h_a_r _*_*_h_o_s_t_l_i_s_t)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions implement the old API to get a list of Kerberos hosts,
+     and are thus similar to the kkrrbb55__kkrrbbhhsstt__iinniitt() functions. However, since
+     these functions returns _a_l_l hosts in one go, they potentially have to do
+     more lookups than necessary. These functions remain for compatibility
+     reasons.
+
+     After a call to one of these functions, _h_o_s_t_l_i_s_t is a NULL terminated
+     list of strings, pointing to the requested Kerberos hosts. These should
+     be freed with kkrrbb55__ffrreeee__kkrrbbhhsstt() when done with.
+
+EEXXAAMMPPLLEE
+     The following code will print the KDCs of the realm ``MY.REALM''.
+
+           char **hosts, **p;
+           krb5_get_krbhst(context, "MY.REALM", &hosts);
+           for(p = hosts; *p; p++)
+               printf("%s\n", *p);
+           krb5_free_krbhst(context, hosts);
+
+SSEEEE AALLSSOO
+     krb5_krbhst_init(3)
+
+ HEIMDAL                         June 17, 2001                               1
diff --git a/kerberosV/src/lib/krb5/krb5_init_context.cat3 b/kerberosV/src/lib/krb5/krb5_init_context.cat3
new file mode 100644
index 00000000000..4d47bafd5fe
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_init_context.cat3
@@ -0,0 +1,34 @@
+
+KRB5_CONTEXT(3)            UNIX Programmer's Manual            KRB5_CONTEXT(3)
+
+NNAAMMEE
+     kkrrbb55__iinniitt__ccoonntteexxtt, kkrrbb55__ffrreeee__ccoonntteexxtt - create and delete krb5_context
+     structures
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__iinniitt__ccoonntteexxtt(_k_r_b_5___c_o_n_t_e_x_t _*_c_o_n_t_e_x_t)
+
+     _v_o_i_d
+     kkrrbb55__ffrreeee__ccoonntteexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t)
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkrrbb55__iinniitt__ccoonntteexxtt() function initializes the _c_o_n_t_e_x_t structure and
+     reads the configuration file _/_e_t_c_/_k_r_b_5_._c_o_n_f.
+
+     The structure should be freed by calling kkrrbb55__ffrreeee__ccoonntteexxtt() when it is
+     no longer being used.
+
+RREETTUURRNN VVAALLUUEESS
+     kkrrbb55__iinniitt__ccoonntteexxtt() returns 0 to indicate success.  Otherwise an errno
+     code is returned.  Failure means either that something bad happened dur-
+     ing initialization (typically [ENOMEM]) or that Kerberos should not be
+     used [ENXIO].
+
+SSEEEE AALLSSOO
+     errno(2),  krb5_context(3),  kerberos(8)
+
+ HEIMDAL                       January 21, 2001                              1
diff --git a/kerberosV/src/lib/krb5/krb5_keytab.cat3 b/kerberosV/src/lib/krb5/krb5_keytab.cat3
new file mode 100644
index 00000000000..301cb1e27c1
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_keytab.cat3
@@ -0,0 +1,212 @@
+
+KRB5_KEYTAB(3)             UNIX Programmer's Manual             KRB5_KEYTAB(3)
+
+NNAAMMEE
+     kkrrbb55__kktt__ooppss, kkrrbb55__kkeeyyttaabb__eennttrryy, kkrrbb55__kktt__ccuurrssoorr, kkrrbb55__kktt__aadddd__eennttrryy,
+     kkrrbb55__kktt__cclloossee, kkrrbb55__kktt__ccoommppaarree, kkrrbb55__kktt__ccooppyy__eennttrryy__ccoonntteennttss,
+     kkrrbb55__kktt__ddeeffaauulltt, kkrrbb55__kktt__ddeeffaauulltt__nnaammee, kkrrbb55__kktt__eenndd__sseeqq__ggeett,
+     kkrrbb55__kktt__ffrreeee__eennttrryy, kkrrbb55__kktt__ggeett__eennttrryy, kkrrbb55__kktt__ggeett__nnaammee,
+     kkrrbb55__kktt__ggeett__ttyyppee, kkrrbb55__kktt__nneexxtt__eennttrryy, kkrrbb55__kktt__rreeaadd__sseerrvviiccee__kkeeyy,
+     kkrrbb55__kktt__rreeggiisstteerr, kkrrbb55__kktt__rreemmoovvee__eennttrryy, kkrrbb55__kktt__rreessoollvvee,
+     kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett - manage keytab (key storage) files
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__aadddd__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d,
+             _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__cclloossee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d)
+
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__kktt__ccoommppaarree(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y,
+             _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_v_n_o _v_n_o,
+             _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ccooppyy__eennttrryy__ccoonntteennttss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _c_o_n_s_t _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_i_n, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_o_u_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ddeeffaauulltt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _*_i_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ddeeffaauulltt__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_h_a_r _*_n_a_m_e, _s_i_z_e___t _n_a_m_e_s_i_z_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__eenndd__sseeqq__ggeett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d,
+             _k_r_b_5___k_t___c_u_r_s_o_r _*_c_u_r_s_o_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ffrreeee__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ggeett__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d,
+             _k_r_b_5___c_o_n_s_t___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_v_n_o _k_v_n_o,
+             _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e, _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ggeett__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b, _c_h_a_r _*_n_a_m_e,
+             _s_i_z_e___t _n_a_m_e_s_i_z_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ggeett__ttyyppee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b, _c_h_a_r _*_p_r_e_f_i_x,
+             _s_i_z_e___t _p_r_e_f_i_x_s_i_z_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__nneexxtt__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d,
+             _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y, _k_r_b_5___k_t___c_u_r_s_o_r _*_c_u_r_s_o_r)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__rreeaadd__sseerrvviiccee__kkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_o_i_n_t_e_r _k_e_y_p_r_o_c_a_r_g,
+             _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _k_r_b_5___k_v_n_o _v_n_o, _k_r_b_5___e_n_c_t_y_p_e _e_n_c_t_y_p_e,
+             _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__rreeggiisstteerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _k_r_b_5___k_t___o_p_s _*_o_p_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__rreemmoovvee__eennttrryy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d,
+             _k_r_b_5___k_e_y_t_a_b___e_n_t_r_y _*_e_n_t_r_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__rreessoollvvee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e, _k_r_b_5___k_e_y_t_a_b _*_i_d)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_e_y_t_a_b _i_d,
+             _k_r_b_5___k_t___c_u_r_s_o_r _*_c_u_r_s_o_r)
+
+DDEESSCCRRIIPPTTIIOONN
+     A keytab name is on the form type:residual. The residual part is specific
+     to each keytab-type.
+
+     When a keytab-name is resolved, the type is matched with an internal list
+     of keytab types. If there is no matching keytab type, the default keytab
+     is used. The current default type is ffiillee. The default value can be
+     changed in the configuration file _/_e_t_c_/_k_r_b_5_._c_o_n_f by setting the variable
+     [defaults]default_keytab_name.
+
+     The keytab types that are implemented in Heimdal are:
+
+     ffiillee    store the keytab in a file, the type's name is KEYFILE. The
+             residual part is a filename.
+
+     kkeeyyffiillee
+             store the keytab in a AFS keyfile (usually _/_u_s_r_/_a_f_s_/_e_t_c_/_K_e_y_F_i_l_e),
+             the type's name is AFSKEYFILE. The residual part is a filename.
+
+     kkrrbb44    the keytab is a Kerberos 4 _s_r_v_t_a_b that is on-the-fly converted to
+             a keytab. The type's name is krb4. The residual part is a file-
+             name.
+
+     mmeemmoorryy  The keytab is stored in a memory segment. This allows sensitive
+             and/or temporary data not to be stored on disk. The type's name
+             is MEMORY. There are no residual part, the only pointer back to
+             the keytab is the _i_d returned by kkrrbb55__kktt__rreessoollvvee().
+
+     kkrrbb55__kkeeyyttaabb__eennttrryy holds all data for an entry in a keytab file, like
+     principal name, key-type, key, key-version number, etc.  kkrrbb55__kktt__ccuurrssoorr
+     holds the current position that is used when iterating through a keytab
+     entry with kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett(), kkrrbb55__kktt__nneexxtt__eennttrryy(), and
+     kkrrbb55__kktt__eenndd__sseeqq__ggeett().
+
+     kkrrbb55__kktt__ooppss contains the different operations that can be done to a
+     keytab. This structure is normally only used when doing a new keytab-type
+     implementation.
+
+     kkrrbb55__kktt__rreessoollvvee() is the equivalent of an open(2) on keytab. Resolve the
+     keytab name in _n_a_m_e into a keytab in _i_d. Returns 0 or an error. The oppo-
+     site of kkrrbb55__kktt__rreessoollvvee() is kkrrbb55__kktt__cclloossee().  kkrrbb55__kktt__cclloossee() frees all
+     resources allocated to the keytab.
+
+     kkrrbb55__kktt__ddeeffaauulltt() sets the argument _i_d to the default keytab.  Returns 0
+     or an error.
+
+     kkrrbb55__kktt__ddeeffaauulltt__nnaammee() copy the name of the default keytab into _n_a_m_e. Re-
+     turn 0 or KRB5_CONFIG_NOTENUFSPACE if _n_a_m_e_s_i_z_e is too short.
+
+
+     kkrrbb55__kktt__aadddd__eennttrryy() Add a new _e_n_t_r_y to the keytab _i_d. KRB5_KT_NOWRITE is
+     returned if the keytab is a readonly keytab.
+
+     kkrrbb55__kktt__ccoommppaarree() compares the passed in _e_n_t_r_y against _p_r_i_n_c_i_p_a_l, _v_n_o,
+     and _e_n_c_t_y_p_e. Any of _p_r_i_n_c_i_p_a_l, _v_n_o or _e_n_c_t_y_p_e might be 0 which acts as a
+     wildcard. Return TRUE if they compare the same, FALSE otherwise.
+
+     kkrrbb55__kktt__ccooppyy__eennttrryy__ccoonntteennttss() copies the contents of _i_n into _o_u_t. Returns
+     0 or an error.
+
+     kkrrbb55__kktt__ggeett__nnaammee() retrieves the name of the keytab _k_e_y_t_a_b into _n_a_m_e,
+     _n_a_m_e_s_i_z_e. Returns 0 or an error.
+
+     kkrrbb55__kktt__ggeett__ttyyppee() retrieves the type of the keytab _k_e_y_t_a_b and store the
+     prefix/name for type of the keytab into _p_r_e_f_i_x, _p_r_e_f_i_x_s_i_z_e. The prefix
+     will have the maximum length of KRB5_KT_PREFIX_MAX_LEN (including termi-
+     nating NUL). Returns 0 or an error.
+
+     kkrrbb55__kktt__ffrreeee__eennttrryy() frees the contents of _e_n_t_r_y.
+
+     kkrrbb55__kktt__ssttaarrtt__sseeqq__ggeett() sets _c_u_r_s_o_r to point at the beginning of _i_d. Re-
+     turns 0 or an error.
+
+     kkrrbb55__kktt__nneexxtt__eennttrryy() gets the next entry from _i_d pointed to by _c_u_r_s_o_r and
+     advance the _c_u_r_s_o_r. Returns 0 or an error.
+
+     kkrrbb55__kktt__eenndd__sseeqq__ggeett() releases all resources associated with _c_u_r_s_o_r.
+
+     kkrrbb55__kktt__ggeett__eennttrryy() retrieves the keytab entry for _p_r_i_n_c_i_p_a_l, _k_v_n_o_,
+     _e_n_c_t_y_p_e into _e_n_t_r_y from the keytab _i_d. Returns 0 or an error.
+
+     kkrrbb55__kktt__rreeaadd__sseerrvviiccee__kkeeyy() reads the key identified by (_p_r_i_n_c_i_p_a_l, _v_n_o,
+     _e_n_c_t_y_p_e) from the keytab in _k_e_y_p_r_o_c_a_r_g (the default if == NULL) into
+     _*_k_e_y. Returns 0 or an error.
+
+     kkrrbb55__kktt__rreemmoovvee__eennttrryy() removes the entry _e_n_t_r_y from the keytab _i_d. Re-
+     turns 0 or an error.
+
+     kkrrbb55__kktt__rreeggiisstteerr() registers a new keytab type _o_p_s. Returns 0 or an er-
+     ror.
+
+EEXXAAMMPPLLEE
+     This is a minimalistic version of kkttuuttiill.
+
+     int
+     main (int argc, char **argv)
+     {
+         krb5_context context;
+         krb5_keytab keytab;
+         krb5_kt_cursor cursor;
+         krb5_keytab_entry entry;
+         krb5_error_code ret;
+         char *principal;
+
+         if (krb5_init_context (&context) != 0)
+             errx(1, "krb5_context");
+
+         ret = krb5_kt_default (context, &keytab);
+         if (ret)
+             krb5_err(context, 1, ret, "krb5_kt_default");
+
+         ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+         if (ret)
+             krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
+         while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+             krb5_unparse_name_short(context, entry.principal, &principal);
+             printf("principal: %s\n", principal);
+             free(principal);
+             krb5_kt_free_entry(context, &entry);
+         }
+         ret = krb5_kt_end_seq_get(context, keytab, &cursor);
+         if (ret)
+             krb5_err(context, 1, ret, "krb5_kt_end_seq_get");
+         krb5_free_context(context);
+         return 0;
+     }
+
+SSEEEE AALLSSOO
+     krb5.conf(5),  kerberos(8)
+
+ HEIMDAL                       February 5, 2001                              4
diff --git a/kerberosV/src/lib/krb5/krb5_krbhst_init.cat3 b/kerberosV/src/lib/krb5/krb5_krbhst_init.cat3
new file mode 100644
index 00000000000..a4f925f53bd
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_krbhst_init.cat3
@@ -0,0 +1,104 @@
+
+KRB5_KRBHST_INIT(3)        UNIX Programmer's Manual        KRB5_KRBHST_INIT(3)
+
+NNAAMMEE
+     kkrrbb55__kkrrbbhhsstt__iinniitt, kkrrbb55__kkrrbbhhsstt__nneexxtt, kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg,
+     kkrrbb55__kkrrbbhhsstt__rreesseett, kkrrbb55__kkrrbbhhsstt__ffrreeee, kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg,
+     kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo - lookup Kerberos KDC hosts
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kkrrbbhhsstt__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m,
+             _u_n_s_i_g_n_e_d _i_n_t _t_y_p_e, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _*_h_a_n_d_l_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kkrrbbhhsstt__nneexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e,
+             _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_*_h_o_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e, _c_h_a_r _*_h_o_s_t_n_a_m_e, _s_i_z_e___t _h_o_s_t_l_e_n)
+
+     _v_o_i_d
+     kkrrbb55__kkrrbbhhsstt__rreesseett(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e)
+
+     _v_o_i_d
+     kkrrbb55__kkrrbbhhsstt__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___h_a_n_d_l_e _h_a_n_d_l_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _c_o_n_s_t _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_h_o_s_t, _c_h_a_r _*_h_o_s_t_n_a_m_e, _s_i_z_e___t _h_o_s_t_l_e_n)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___k_r_b_h_s_t___i_n_f_o _*_h_o_s_t,
+             _s_t_r_u_c_t _a_d_d_r_i_n_f_o _*_*_a_i)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions are used to sequence through all Kerberos hosts of a par-
+     ticular realm and service. The service type can be the KDCs, the adminis-
+     trative servers, the password changing servers, or the servers for Ker-
+     beros 4 ticket conversion.
+
+     First a handle to a particular service is obtained by calling
+     kkrrbb55__kkrrbbhhsstt__iinniitt() with the _r_e_a_l_m of interest and the type of service to
+     lookup. The _t_y_p_e can be one of:
+
+           KRB5_KRBHST_KDC
+           KRB5_KRBHST_ADMIN
+           KRB5_KRBHST_CHANGEPW
+           KRB5_KRBHST_KRB524
+
+     The _h_a_n_d_l_e is returned to the caller, and should be passed to the other
+     functions.
+
+     For each call to kkrrbb55__kkrrbbhhsstt__nneexxtt() information a new host is returned.
+     The former function returns in _h_o_s_t a pointer to a structure containing
+     information about the host, such as protocol, hostname, and port:
+
+           typedef struct krb5_krbhst_info {
+               enum { KRB5_KRBHST_UDP,
+                      KRB5_KRBHST_TCP,
+                      KRB5_KRBHST_HTTP } proto;
+               unsigned short port;
+               struct addrinfo *ai;
+               struct krb5_krbhst_info *next;
+               char hostname[1];
+           } krb5_krbhst_info;
+
+     The related function, kkrrbb55__kkrrbbhhsstt__nneexxtt__aass__ssttrriinngg(), return the same in-
+     formation as a url-like string.
+
+     When there are no more hosts, these functions return KRB5_KDC_UNREACH.
+
+     To re-iterate over all hosts, call kkrrbb55__kkrrbbhhsstt__rreesseett() and the next call
+     to kkrrbb55__kkrrbbhhsstt__nneexxtt() will return the first host.
+
+     When done with the handle, kkrrbb55__kkrrbbhhsstt__ffrreeee() should be called.
+
+     To use a _k_r_b_5___k_r_b_h_s_t___i_n_f_o, there are two functions:
+     kkrrbb55__kkrrbbhhsstt__ffoorrmmaatt__ssttrriinngg() that will return a printable representation
+     of that struct and kkrrbb55__kkrrbbhhsstt__ggeett__aaddddrriinnffoo() that will return a _s_t_r_u_c_t
+     _a_d_d_r_i_n_f_o that can then be used for communicating with the server men-
+     tioned.
+
+EEXXAAMMPPLLEE
+     The following code will print the KDCs of the realm ``MY.REALM''.
+
+           krb5_krbhst_handle handle;
+           char host[MAXHOSTNAMELEN];
+           krb5_krbhst_init(context, "MY.REALM", KRB5_KRBHST_KDC, &handle);
+           while(krb5_krbhst_next_as_string(context, handle,
+                                            host, sizeof(host)) == 0)
+               printf("%s\n", host);
+           krb5_krbhst_free(context, handle);
+
+HHIISSTTOORRYY
+     These functions first appeared in Heimdal 0.3g.
+
+SSEEEE AALLSSOO
+     getaddrinfo(3),  krb5_get_krbhst(3)
+
+ HEIMDAL                         June 17, 2001                               2
diff --git a/kerberosV/src/lib/krb5/krb5_kuserok.cat3 b/kerberosV/src/lib/krb5/krb5_kuserok.cat3
new file mode 100644
index 00000000000..379acb8fdfd
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_kuserok.cat3
@@ -0,0 +1,36 @@
+
+KRB5_KUSEROK(3)            UNIX Programmer's Manual            KRB5_KUSEROK(3)
+
+NNAAMMEE
+     kkrrbb55__kkuusseerrookk - verifies if a principal can log in as a
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___b_o_o_l_e_a_n
+     kkrrbb55__kkuusseerrookk(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
+             _c_o_n_s_t _c_h_a_r _*_n_a_m_e)
+
+DDEESSCCRRIIPPTTIIOONN
+     This function takes a local user _n_a_m_e and verifies if _p_r_i_n_c_i_p_a_l is al-
+     lowed to log in as that user.
+
+     First kkrrbb55__kkuusseerrookk check if there is a local account name _u_s_e_r_n_a_m_e_. If
+     there isn't, kkrrbb55__kkuusseerrookk returns FALSE.
+
+     Then kkrrbb55__kkuusseerrookk checks if principal is the same as user@realm in any of
+     the default realms. If that is the case, kkrrbb55__kkuusseerrookk returns TRUE.
+
+     After that it reads the file _._k_5_l_o_g_i_n (if it exists) in the users home
+     directory and checks if _p_r_i_n_c_i_p_a_l is in the file.  If it does exists,
+     TRUE is returned.  If neither of the above turns out to be true, is re-
+     turned.
+
+     The _._k_5_l_o_g_i_n should contain one principal per line.
+
+SSEEEE AALLSSOO
+     krb5_get_default_realms(3),  krb5_verify_user(3),
+     krb5_verify_user_lrealm(3),  krb5_verify_user_opt(3,) krb5.conf(5)
+
+ HEIMDAL                         Oct 17, 2002                                1
diff --git a/kerberosV/src/lib/krb5/krb5_openlog.cat3 b/kerberosV/src/lib/krb5/krb5_openlog.cat3
new file mode 100644
index 00000000000..47177bafb45
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_openlog.cat3
@@ -0,0 +1,156 @@
+
+KRB5_OPENLOG(3)            UNIX Programmer's Manual            KRB5_OPENLOG(3)
+
+NNAAMMEE
+     kkrrbb55__iinniittlloogg, kkrrbb55__ooppeennlloogg, kkrrbb55__cclloosseelloogg, kkrrbb55__aaddddlloogg__ddeesstt,
+     kkrrbb55__aaddddlloogg__ffuunncc, kkrrbb55__lloogg, kkrrbb55__vvlloogg, kkrrbb55__lloogg__mmssgg, kkrrbb55__vvlloogg__mmssgg -
+     Heimdal logging functions
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _t_y_p_e_d_e_f _v_o_i_d
+     (**kkrrbb55__lloogg__lloogg__ffuunncc__tt)(_c_o_n_s_t _c_h_a_r _*_t_i_m_e, _c_o_n_s_t _c_h_a_r _*_m_e_s_s_a_g_e, _v_o_i_d _*_d_a_t_a)
+
+     _t_y_p_e_d_e_f _v_o_i_d
+     (**kkrrbb55__lloogg__cclloossee__ffuunncc__tt)(_v_o_i_d _*_d_a_t_a)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aaddddlloogg__ddeesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
+             _c_o_n_s_t _c_h_a_r _*_d_e_s_t_i_n_a_t_i_o_n)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__aaddddlloogg__ffuunncc(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
+             _i_n_t _m_i_n, _i_n_t _m_a_x, _k_r_b_5___l_o_g___l_o_g___f_u_n_c___t _l_o_g,
+             _k_r_b_5___l_o_g___c_l_o_s_e___f_u_n_c___t _c_l_o_s_e, _v_o_i_d _*_d_a_t_a)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cclloosseelloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__iinniittlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_p_r_o_g_r_a_m,
+             _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_*_f_a_c_i_l_i_t_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__lloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, _i_n_t _l_e_v_e_l,
+             _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__lloogg__mmssgg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
+             _c_h_a_r _*_*_r_e_p_l_y, _i_n_t _l_e_v_e_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ooppeennlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_p_r_o_g_r_a_m,
+             _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_*_f_a_c_i_l_i_t_y)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vvlloogg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y, _i_n_t _l_e_v_e_l,
+             _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_r_g_l_i_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vvlloogg__mmssgg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y,
+             _c_h_a_r _*_*_r_e_p_l_y, _i_n_t _l_e_v_e_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_r_g_l_i_s_t)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions logs messages to one or more destinations.
+
+     The kkrrbb55__ooppeennlloogg() function creates a logging _f_a_c_i_l_i_t_y, that is used to
+     log messages. A facility consists of one or more destinations (which can
+     be files or syslog or some other device). The _p_r_o_g_r_a_m parameter should be
+     the generic name of the program that is doing the logging. This name is
+     used to lookup which destinations to use. This information is contained
+     in the logging section of the _k_r_b_5_._c_o_n_f configuration file.  If no entry
+     is found for _p_r_o_g_r_a_m, the entry for default is used, or if that is miss-
+     ing too, SYSLOG will be used as destination.
+
+     To close a logging facility, use the kkrrbb55__cclloosseelloogg() function.
+
+     To log a message to a facility use one of the functions kkrrbb55__lloogg(),
+     kkrrbb55__lloogg__mmssgg(), kkrrbb55__vvlloogg(), or kkrrbb55__vvlloogg__mmssgg().  The functions ending in
+     _msg return in _r_e_p_l_y a pointer to the message that just got logged. This
+     string is allocated, and should be freed with ffrreeee().  The _f_o_r_m_a_t is a
+     standard pprriinnttff() style format string (but see the BUGS section).
+
+     If you want better control of where things gets logged, you can instead
+     of using kkrrbb55__ooppeennlloogg() call kkrrbb55__iinniittlloogg(), which just initializes a fa-
+     cility, but doesn't define any actual logging destinations. You can then
+     add destinations with the kkrrbb55__aaddddlloogg__ddeesstt() and kkrrbb55__aaddddlloogg__ffuunncc() func-
+     tions.  The first of these takes a string specifying a logging destina-
+     tion, and adds this to the facility. If you want to do some non-standard
+     logging you can use the kkrrbb55__aaddddlloogg__ffuunncc() function, which takes a func-
+     tion to use when logging.  The _l_o_g function is called for each message
+     with _t_i_m_e being a string specifying the current time, and _m_e_s_s_a_g_e the
+     message to log.  _c_l_o_s_e is called when the facility is closed. You can
+     pass application specific data in the _d_a_t_a parameter. The _m_i_n and _m_a_x pa-
+     rameter are the same as in a destination (defined below). To specify a
+     max of infinity, pass -1.
+
+     kkrrbb55__ooppeennlloogg() calls kkrrbb55__iinniittlloogg() and then calls kkrrbb55__aaddddlloogg__ddeesstt() for
+     each destination found.
+
+   DDeessttiinnaattiioonnss
+     The defined destinations (as specified in _k_r_b_5_._c_o_n_f) follows:
+
+           STDERR
+                This logs to the program's stderr.
+
+           FILE:_/_f_i_l_e
+
+           FILE=_/_f_i_l_e
+                Log to the specified file. The form using a colon appends to
+                the file, the form with an equal truncates the file. The trun-
+                cating form keeps the file open, while the appending form
+                closes it after each log message (which makes it possible to
+                rotate logs). The truncating form is mainly for compatibility
+                with the MIT libkrb5.
+
+           DEVICE=_/_d_e_v_i_c_e
+                This logs to the specified device, at present this is the same
+                as FILE:/device.
+
+           CONSOLE
+                Log to the console, this is the same as DEVICE=/dev/console.
+
+           SYSLOG[:priority[:facility]]
+                Send messages to the syslog system, using priority, and facil-
+                ity. To get the name for one of these, you take the name of
+                the macro passed to syslog(3),  and remove the leading LOG_
+                (LOG_NOTICE becomes NOTICE). The default values (as well as
+                the values used for unrecognised values), are ERR, and AUTH,
+                respectively.  See syslog(3) for a list of priorities and fa-
+                cilities.
+
+     Each destination may optionally be prepended with a range of logging lev-
+     els, specified as min-max/. If the _l_e_v_e_l parameter to kkrrbb55__lloogg() is with-
+     in this range (inclusive) the message gets logged to this destination,
+     otherwise not. Either of the min and max valued may be omitted, in this
+     case min is assumed to be zero, and max is assumed to be infinity.  If
+     you don't include a dash, both min and max gets set to the specified val-
+     ue. If no range is specified, all messages gets logged.
+
+EEXXAAMMPPLLEE
+           [logging]
+                   kdc = 0/FILE:/var/log/kdc.log
+                   kdc = 1-/SYSLOG:INFO:USER
+                   default = STDERR
+
+     This will log all messages from the kkddcc program with level 0 to
+     _/_v_a_r_/_l_o_g_/_k_d_c_._l_o_g, other messages will be logged to syslog with priority
+     LOG_INFO, and facility LOG_USER. All other programs will log all messages
+     to their stderr.
+
+BBUUGGSS
+     These functions use aasspprriinnttff() to format the message. If your operating
+     system does not have a working aasspprriinnttff(), a replacement will be used. At
+     present this replacement does not handle some correct conversion specifi-
+     cations (like floating point numbers). Until this is fixed, the use of
+     these conversions should be avoided.
+
+     If logging is done to the syslog facility, these functions might not be
+     thread-safe, depending on the implementation of ooppeennlloogg(), and ssyysslloogg().
+
+SSEEEE AALLSSOO
+     syslog(3),  krb5.conf(5)
+
+ HEIMDAL                        August 6, 1997                               3
diff --git a/kerberosV/src/lib/krb5/krb5_parse_name.cat3 b/kerberosV/src/lib/krb5/krb5_parse_name.cat3
new file mode 100644
index 00000000000..73c72a1d54a
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_parse_name.cat3
@@ -0,0 +1,30 @@
+
+KRB5_PARSE_NAME(3)         UNIX Programmer's Manual         KRB5_PARSE_NAME(3)
+
+NNAAMMEE
+     kkrrbb55__ppaarrssee__nnaammee - string to principal conversion
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ppaarrssee__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_n_a_m_e,
+             _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l)
+
+DDEESSCCRRIIPPTTIIOONN
+     kkrrbb55__ppaarrssee__nnaammee() converts a string representation of a principal name to
+     kkrrbb55__pprriinncciippaall. The _p_r_i_n_c_i_p_a_l will point to allocated data that should be
+     freed with kkrrbb55__ffrreeee__pprriinncciippaall().
+
+     The string should consist of one or more name components separated with
+     slashes (``/''), optionally followed with an ``@'' and a realm name. A
+     slash or @ may be contained in a name component by quoting it with a
+     back-slash (`` .'') A realm should not contain slashes or colons.
+
+SSEEEE AALLSSOO
+     krb5_425_conv_principal(3),  krb5_build_principal(3),
+     krb5_free_principal(3),  krb5_sname_to_principal(3),  krb5_un-
+     parse_name(3)
+
+ HEIMDAL                        August 8, 1997                               1
diff --git a/kerberosV/src/lib/krb5/krb5_principal_get_realm.cat3 b/kerberosV/src/lib/krb5/krb5_principal_get_realm.cat3
new file mode 100644
index 00000000000..27cb8b45425
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_principal_get_realm.cat3
@@ -0,0 +1,42 @@
+
+KRB5_PRINCIPAL_GET_REALM(3)UNIX Programmer's ManualKRB5_PRINCIPAL_GET_REALM(3)
+
+NNAAMMEE
+     kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm, kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg - decompose a
+     principal
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _c_o_n_s_t _c_h_a_r _*
+     kkrrbb55__pprriinncciippaall__ggeett__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l)
+
+     _c_o_n_s_t _c_h_a_r _*
+     kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t,
+             _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l, _u_n_s_i_g_n_e_d _i_n_t _c_o_m_p_o_n_e_n_t)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions return parts of the _p_r_i_n_c_i_p_a_l, either the realm or a spe-
+     cific component. The returned string points to data inside the principal,
+     so they are valid only as long as the principal exists.
+
+     The _c_o_m_p_o_n_e_n_t argument to kkrrbb55__pprriinncciippaall__ggeett__ccoommpp__ssttrriinngg() is the compo-
+     nent number to return, from zero to the total number of components minus
+     one. If a the requested component number is out of range, NULL is re-
+     turned.
+
+     These functions can be seen as a replacement for the kkrrbb55__pprriinncc__rreeaallmm(),
+     kkrrbb55__pprriinncc__ccoommppoonneenntt() and related macros, described as intermal in the
+     MIT API specification. A difference is that these functions return
+     strings, not krb5_data. A reason to return krb5_data was that it was be-
+     lieved that principal components could contain binary data, but this be-
+     lief was unfounded, and it has been decided that principal components are
+     infact UTF8, so it's safe to use zero terminated strings.
+
+     It's generally not necessary to look at the components of a principal.
+
+SSEEEE AALLSSOO
+     krb5_unparse_name(3)
+
+ HEIMDAL                         June 20, 2001                               1
diff --git a/kerberosV/src/lib/krb5/krb5_set_default_realm.cat3 b/kerberosV/src/lib/krb5/krb5_set_default_realm.cat3
new file mode 100644
index 00000000000..539e65c3e13
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_set_default_realm.cat3
@@ -0,0 +1,61 @@
+
+KRB5_SET_DEFAULT_REALM(3)  UNIX Programmer's Manual  KRB5_SET_DEFAULT_REALM(3)
+
+NNAAMMEE
+     kkrrbb55__ffrreeee__hhoosstt__rreeaallmm kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss
+     kkrrbb55__ggeett__hhoosstt__rreeaallmm kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm - default and host realm read
+     and manipulation routines
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ffrreeee__hhoosstt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m_l_i_s_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_r_e_a_l_m)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___r_e_a_l_m _*_*_r_e_a_l_m)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ggeett__hhoosstt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_h_o_s_t,
+             _k_r_b_5___r_e_a_l_m _*_*_r_e_a_l_m_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_r_e_a_l_m)
+
+DDEESSCCRRIIPPTTIIOONN
+     kkrrbb55__ffrreeee__hhoosstt__rreeaallmm() frees all memory allocated by _r_e_a_l_m_l_i_s_t.
+
+     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmm() returns the first default realm for this host.
+     The realm returned should be free with ffrreeee().
+
+     kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss() returns a NULL terminated list of default
+     realms for this context.  Realms returned by kkrrbb55__ggeett__ddeeffaauulltt__rreeaallmmss()
+     should be free with kkrrbb55__ffrreeee__hhoosstt__rreeaallmm().
+
+     kkrrbb55__ggeett__hhoosstt__rreeaallmm() returns a NULL terminated list of realms for _h_o_s_t
+     by looking up the information in the [domain_realm] in _k_r_b_5_._c_o_n_f or in
+     DNS. If the mapping in [domain_realm] results in the string dns_locate,
+     DNS is used to lookup the realm.
+
+     When using DNS to a resolve the domain for the host a.b.c,
+     kkrrbb55__ggeett__hhoosstt__rreeaallmm() looks for a TXT resource record named
+     _kerberos.a.b.c, and if not found, it strips off the first component and
+     tries a again (_kerberos.b.c) until it reaches the root.
+
+     If there is no configuration or DNS information found,
+     kkrrbb55__ggeett__hhoosstt__rreeaallmm() assumes it can use the domain part of the _h_o_s_t to
+     form a realm.
+
+     kkrrbb55__sseett__ddeeffaauulltt__rreeaallmm() sets the default realm for the _c_o_n_t_e_x_t. If NULL
+     is used as a _r_e_a_l_m, the [libdefaults]default_realm stanza in _k_r_b_5_._c_o_n_f is
+     used.  If there is no such stanza in the configuration file, the
+     kkrrbb55__ggeett__hhoosstt__rreeaallmm() function is used to form a default realm.
+
+SSEEEE AALLSSOO
+     krb5.conf(5),  free(3)
+
+ HEIMDAL                         Mar 16, 2003                                1
diff --git a/kerberosV/src/lib/krb5/krb5_set_password.3 b/kerberosV/src/lib/krb5/krb5_set_password.3
new file mode 100644
index 00000000000..71079f71431
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_set_password.3
@@ -0,0 +1,109 @@
+.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $KTH: krb5_set_password.3,v 1.3.2.1 2004/06/21 10:51:20 lha Exp $
+.\"
+.Dd June  2, 2004
+.Dt KRB5_SET_PASSWORD 3
+.Os HEIMDAL
+.Sh NAME
+.Nm krb5_change_password ,
+.Nm krb5_set_password ,
+.Nm krb5_set_password_using_ccache
+.Nd change password functions
+.Sh LIBRARY
+Kerberos 5 Library (libkrb5, -lkrb5)
+.Sh SYNOPSIS
+.In krb5.h
+.Ft krb5_error_code
+.Fo krb5_change_password
+.Fa "krb5_context context"
+.Fa "krb5_creds *creds"
+.Fa "char *newpw"
+.Fa "int *result_code"
+.Fa "krb5_data *result_code_string"
+.Fa "krb5_data *result_string"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_set_password
+.Fa "krb5_context context"
+.Fa "krb5_creds *creds"
+.Fa "char *newpw"
+.Fa "krb5_principal targprinc",
+.Fa "int *result_code"
+.Fa "krb5_data *result_code_string"
+.Fa "krb5_data *result_string"
+.Fc
+.Ft krb5_error_code
+.Fo krb5_set_password_using_ccache
+.Fa "krb5_context context"
+.Fa "krb5_ccache ccache"
+.Fa "char *newpw"
+.Fa "krb5_principal targprinc"
+.Fa "int *result_code"
+.Fa "krb5_data *result_code_string"
+.Fa "krb5_data *result_string"
+.Fc
+.Sh DESCRIPTION
+These functions change the password for a given principal.
+.Pp
+.Fn krb5_set_password
+and
+.Fa krb5_set_password_using_ccache
+is the newer two of the three functions and uses a newer version of the
+protocol (and falls back to the older when the newer doesn't work).
+.Pp
+.Fn krb5_change_password
+set the password
+.Fa newpasswd
+for the client principal in
+.Fa creds .
+The server principal of creds must be
+.Li kadmin/changepw .
+.Pp
+.Fn krb5_set_password
+changes the password for the principal
+.Fa targprinc ,
+if
+.Fa targprinc
+is
+.Dv NULL
+the default principal in
+.Fa ccache
+is used.
+.Pp
+Both functions returns and error in
+.Fa result_code
+and maybe an error strings to print in
+.Fa result_string .
+.Sh SEE ALSO
+.Xr krb5_ccache 3 ,
+.Xr krb5_init_context 3
diff --git a/kerberosV/src/lib/krb5/krb5_set_password.cat3 b/kerberosV/src/lib/krb5/krb5_set_password.cat3
new file mode 100644
index 00000000000..5c1189674f4
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_set_password.cat3
@@ -0,0 +1,46 @@
+
+KRB5_SET_PASSWORD(3)       UNIX Programmer's Manual       KRB5_SET_PASSWORD(3)
+
+NNAAMMEE
+     kkrrbb55__cchhaannggee__ppaasssswwoorrdd, kkrrbb55__sseett__ppaasssswwoorrdd, kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee -
+     change password functions
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__cchhaannggee__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
+             _c_h_a_r _*_n_e_w_p_w, _i_n_t _*_r_e_s_u_l_t___c_o_d_e, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g,
+             _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__sseett__ppaasssswwoorrdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_r_e_d_s _*_c_r_e_d_s,
+             _c_h_a_r _*_n_e_w_p_w,_k_r_b_5___p_r_i_n_c_i_p_a_l _t_a_r_g_p_r_i_n_c, _,, _i_n_t _*_r_e_s_u_l_t___c_o_d_e,
+             _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__sseett__ppaasssswwoorrdd__uussiinngg__ccccaacchhee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e,
+             _c_h_a_r _*_n_e_w_p_w, _k_r_b_5___p_r_i_n_c_i_p_a_l _t_a_r_g_p_r_i_n_c, _i_n_t _*_r_e_s_u_l_t___c_o_d_e,
+             _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___c_o_d_e___s_t_r_i_n_g, _k_r_b_5___d_a_t_a _*_r_e_s_u_l_t___s_t_r_i_n_g)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions change the password for a given principal.
+
+     kkrrbb55__sseett__ppaasssswwoorrdd() and _k_r_b_5___s_e_t___p_a_s_s_w_o_r_d___u_s_i_n_g___c_c_a_c_h_e is the newer two
+     of the three functions and uses a newer version of the protocol (and
+     falls back to the older when the newer doesn't work).
+
+     kkrrbb55__cchhaannggee__ppaasssswwoorrdd() set the password _n_e_w_p_a_s_s_w_d for the client princi-
+     pal in _c_r_e_d_s. The server principal of creds must be kadmin/changepw.
+
+     kkrrbb55__sseett__ppaasssswwoorrdd() changes the password for the principal _t_a_r_g_p_r_i_n_c, if
+     _t_a_r_g_p_r_i_n_c is NULL the default principal in _c_c_a_c_h_e is used.
+
+     Both functions returns and error in _r_e_s_u_l_t___c_o_d_e and maybe an error
+     strings to print in _r_e_s_u_l_t___s_t_r_i_n_g.
+
+SSEEEE AALLSSOO
+     krb5_ccache(3),  krb5_init_context(3)
+
+ HEIMDAL                         June 2, 2004                                1
diff --git a/kerberosV/src/lib/krb5/krb5_sname_to_principal.cat3 b/kerberosV/src/lib/krb5/krb5_sname_to_principal.cat3
new file mode 100644
index 00000000000..25e0cde33b8
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_sname_to_principal.cat3
@@ -0,0 +1,36 @@
+
+KRB5_PRINCIPAL(3)          UNIX Programmer's Manual          KRB5_PRINCIPAL(3)
+
+NNAAMMEE
+     kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall, kkrrbb55__ssoocckk__ttoo__pprriinncciippaall - create a service prin-
+     cipal
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_h_o_s_t_n_a_m_e,
+             _c_o_n_s_t _c_h_a_r _*_s_n_a_m_e, _i_n_t_3_2___t _t_y_p_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ssoocckk__ttoo__pprriinncciippaall(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _s_o_c_k_e_t,
+             _c_o_n_s_t _c_h_a_r _*_s_n_a_m_e, _i_n_t_3_2___t _t_y_p_e, _k_r_b_5___p_r_i_n_c_i_p_a_l _*_p_r_i_n_c_i_p_a_l)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions create a ``service'' principal that can, for instance, be
+     used to lookup a key in a keytab. For both these function the _s_n_a_m_e pa-
+     rameter will be used for the first component of the created principal. If
+     _s_n_a_m_e is NULL, ``host'' will be used instead.  kkrrbb55__ssnnaammee__ttoo__pprriinncciippaall()
+     will use the passed _h_o_s_t_n_a_m_e for the second component. If type
+     KRB5_NT_SRV_HST this name will be looked up with ggeetthhoossttbbyynnaammee().  If
+     _h_o_s_t_n_a_m_e _i_s NULL, the local hostname will be used.
+
+     kkrrbb55__ssoocckk__ttoo__pprriinncciippaall() will use the ``sockname'' of the passed _s_o_c_k_e_t,
+     which should be a bound AF_INET socket.
+
+SSEEEE AALLSSOO
+     krb5_425_conv_principal(3),  krb5_build_principal(3),
+     krb5_free_principal(3),  krb5_parse_name(3),  krb5_unparse_name(3)
+
+ HEIMDAL                        August 8, 1997                               1
diff --git a/kerberosV/src/lib/krb5/krb5_timeofday.cat3 b/kerberosV/src/lib/krb5/krb5_timeofday.cat3
new file mode 100644
index 00000000000..fe0a2afe207
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_timeofday.cat3
@@ -0,0 +1,25 @@
+
+KRB5_TIMEOFDAY(3)          UNIX Programmer's Manual          KRB5_TIMEOFDAY(3)
+
+NNAAMMEE
+     kkrrbb55__ttiimmeeooffddaayy, kkrrbb55__uuss__ttiimmeeooffddaayy - whatever these functions do
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__ttiimmeeooffddaayy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___t_i_m_e_s_t_a_m_p _*_t_i_m_e_r_e_t)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__uuss__ttiimmeeooffddaayy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t_3_2___t _*_s_e_c, _i_n_t_3_2___t _*_u_s_e_c)
+
+DDEESSCCRRIIPPTTIIOONN
+     kkrrbb55__ttiimmeeooffddaayy() returns the current time, but adjusted with the time
+     difference between the local host and the KDC.  kkrrbb55__uuss__ttiimmeeooffddaayy() also
+     returns microseconds.
+
+SSEEEE AALLSSOO
+     gettimeofday(2)
+
+                                 July 1, 2001                                1
diff --git a/kerberosV/src/lib/krb5/krb5_unparse_name.cat3 b/kerberosV/src/lib/krb5/krb5_unparse_name.cat3
new file mode 100644
index 00000000000..0eb8d76be51
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_unparse_name.cat3
@@ -0,0 +1,24 @@
+
+KRB5_UNPARSE_NAME(3)       UNIX Programmer's Manual       KRB5_UNPARSE_NAME(3)
+
+NNAAMMEE
+     kkrrbb55__uunnppaarrssee__nnaammee - principal to string conversion
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__uunnppaarrssee__nnaammee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
+             _c_h_a_r _*_*_n_a_m_e)
+
+DDEESSCCRRIIPPTTIIOONN
+     This function takes a _p_r_i_n_c_i_p_a_l, and will convert in to a printable rep-
+     resentation with the same syntax as described in krb5_parse_name(3).
+     _*_n_a_m_e will point to allocated data and should be freed by the caller.
+
+SSEEEE AALLSSOO
+     krb5_425_conv_principal(3),  krb5_build_principal(3),
+     krb5_free_principal(3),  krb5_parse_name(3),  krb5_sname_to_principal(3)
+
+ HEIMDAL                        August 8, 1997                               1
diff --git a/kerberosV/src/lib/krb5/krb5_verify_user.cat3 b/kerberosV/src/lib/krb5/krb5_verify_user.cat3
new file mode 100644
index 00000000000..ef1250ed613
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_verify_user.cat3
@@ -0,0 +1,128 @@
+
+KRB5_VERIFY_USER(3)        UNIX Programmer's Manual        KRB5_VERIFY_USER(3)
+
+NNAAMMEE
+     kkrrbb55__vveerriiffyy__uusseerr, kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm, kkrrbb55__vveerriiffyy__uusseerr__oopptt,
+     kkrrbb55__vveerriiffyy__oopptt__iinniitt kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss,
+     kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee, kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree,
+     kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb - Heimdal password verifying functions.
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vveerriiffyy__uusseerr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
+             _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e,
+             _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
+             _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e, _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e,
+             _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e)
+
+     _v_o_i_d
+     kkrrbb55__vveerriiffyy__oopptt__iinniitt(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t)
+
+     _v_o_i_d
+     kkrrbb55__vveerriiffyy__oopptt__sseett__ccccaacchhee(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___c_c_a_c_h_e _c_c_a_c_h_e)
+
+     _v_o_i_d
+     kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___k_e_y_t_a_b _k_e_y_t_a_b)
+
+     _v_o_i_d
+     kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _k_r_b_5___b_o_o_l_e_a_n _s_e_c_u_r_e)
+
+     _v_o_i_d
+     kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _c_o_n_s_t _c_h_a_r _*_s_e_r_v_i_c_e)
+
+     _v_o_i_d
+     kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss(_k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t, _u_n_s_i_g_n_e_d _i_n_t _f_l_a_g_s)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vveerriiffyy__uusseerr__oopptt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___p_r_i_n_c_i_p_a_l _p_r_i_n_c_i_p_a_l,
+             _c_o_n_s_t _c_h_a_r _*_p_a_s_s_w_o_r_d, _k_r_b_5___v_e_r_i_f_y___o_p_t _*_o_p_t)
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkrrbb55__vveerriiffyy__uusseerr function verifies the password supplied by a user.
+     The principal whose password will be verified is specified in _p_r_i_n_c_i_p_a_l.
+     New tickets will be obtained as a side-effect and stored in _c_c_a_c_h_e (if
+     NULL, the default ccache is used).  kkrrbb55__vveerriiffyy__uusseerr() will call
+     kkrrbb55__cccc__iinniittiiaalliizzee() on the given _c_c_a_c_h_e, so _c_c_a_c_h_e must only initialized
+     with kkrrbb55__cccc__rreessoollvvee() or kkrrbb55__cccc__ggeenn__nneeww().  If the password is not sup-
+     plied in _p_a_s_s_w_o_r_d (and is given as NULL) the user will be prompted for
+     it.  If _s_e_c_u_r_e the ticket will be verified against the locally stored
+     service key _s_e_r_v_i_c_e (by default `host' if given as NULL ).
+
+     The kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm function does the same, except that it ig-
+     nores the realm in _p_r_i_n_c_i_p_a_l and tries all the local realms (see
+     krb5.conf(5)).  After a successful return, the principal is set to the
+     authenticated realm. If the call fails, the principal will not be mean-
+     ingful, and should only be freed with krb5_free_principal(3).
+
+     kkrrbb55__vveerriiffyy__oopptt__iinniitt() resets all opt to default values.
+
+
+     None of the krb5_verify_opt_set function makes a copy of the data struc-
+     ture that they are called with. Its up the caller to free them after the
+     kkrrbb55__vveerriiffyy__uusseerr__oopptt() is called.
+
+     kkrrbb55__vveerriiffyy__oopptt__sseett__ccccaacchhee() sets the _c_c_a_c_h_e that user of _o_p_t will use.
+     If not set, the default credential cache will be used.
+
+     kkrrbb55__vveerriiffyy__oopptt__sseett__kkeeyyttaabb() sets the _k_e_y_t_a_b that user of _o_p_t will use.
+     If not set, the default keytab will be used.
+
+     kkrrbb55__vveerriiffyy__oopptt__sseett__sseeccuurree() if _s_e_c_u_r_e if true, the password verification
+     will require that the ticket will be verified against the locally stored
+     service key. If not set, default value is true.
+
+     kkrrbb55__vveerriiffyy__oopptt__sseett__sseerrvviiccee() sets the _s_e_r_v_i_c_e principal that user of _o_p_t
+     will use. If not set, the `host' service will be used.
+
+     kkrrbb55__vveerriiffyy__oopptt__sseett__ffllaaggss() sets _f_l_a_g_s that user of _o_p_t will use.  If the
+     flag KRB5_VERIFY_LREALMS is used, the _p_r_i_n_c_i_p_a_l will be modified like
+     kkrrbb55__vveerriiffyy__uusseerr__llrreeaallmm() modifies it.
+
+     kkrrbb55__vveerriiffyy__uusseerr__oopptt() function verifies the _p_a_s_s_w_o_r_d supplied by a user.
+     The principal whose password will be verified is specified in _p_r_i_n_c_i_p_a_l.
+     Options the to the verification process is pass in in _o_p_t.
+
+EEXXAAMMPPLLEE
+     Here is a example program that verifies a password. it uses the
+     `host/`hostname`' service principal in _k_r_b_5_._k_e_y_t_a_b.
+
+     #include <krb5.h>
+
+     int
+     main(int argc, char **argv)
+     {
+         char *user;
+         krb5_error_code error;
+         krb5_principal princ;
+         krb5_context context;
+
+         if (argc != 2)
+             errx(1, "usage: verify_passwd <principal-name>");
+
+         user = argv[1];
+
+         if (krb5_init_context(&context) < 0)
+             errx(1, "krb5_init_context");
+
+         if ((error = krb5_parse_name(context, user, &princ)) != 0)
+             krb5_err(context, 1, error, "krb5_parse_name");
+
+         error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL);
+         if (error)
+             krb5_err(context, 1, error, "krb5_verify_user");
+
+         return 0;
+     }
+
+SSEEEE AALLSSOO
+     krb5_err(3),  krb5_cc_gen_new(3),  krb5_cc_resolve(3),
+     krb5_cc_initialize(3),  krb5_free_principal(3),  krb5_init_context(3),
+     krb5_kt_default(3),  krb5.conf(5)
+
+ HEIMDAL                        March 25, 2003                               2
diff --git a/kerberosV/src/lib/krb5/krb5_warn.cat3 b/kerberosV/src/lib/krb5/krb5_warn.cat3
new file mode 100644
index 00000000000..72777bd8f92
--- /dev/null
+++ b/kerberosV/src/lib/krb5/krb5_warn.cat3
@@ -0,0 +1,66 @@
+
+KRB5_WARN(3)               UNIX Programmer's Manual               KRB5_WARN(3)
+
+NNAAMMEE
+     kkrrbb55__wwaarrnn, kkrrbb55__wwaarrnnxx, kkrrbb55__vvwwaarrnn, kkrrbb55__vvwwaarrnnxx, kkrrbb55__eerrrr, kkrrbb55__eerrrrxx,
+     kkrrbb55__vveerrrr, kkrrbb55__vveerrrrxx, kkrrbb55__sseett__wwaarrnn__ddeesstt - Heimdal warning and error
+     functions
+
+LLIIBBRRAARRYY
+     Kerberos 5 Library (libkrb5, -lkrb5)
+
+SSYYNNOOPPSSIISS
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__eerrrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e,
+             _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__eerrrrxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vveerrrr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e,
+             _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_p)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vveerrrrxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _i_n_t _e_v_a_l, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t,
+             _v_a___l_i_s_t _a_p)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vvwwaarrnn(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e,
+             _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_p)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__vvwwaarrnnxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _v_a___l_i_s_t _a_p)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__wwaarrnn(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t,
+             _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__wwaarrnnxx(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _c_o_n_s_t _c_h_a_r _*_f_o_r_m_a_t, _._._.)
+
+     _k_r_b_5___e_r_r_o_r___c_o_d_e
+     kkrrbb55__sseett__wwaarrnn__ddeesstt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___l_o_g___f_a_c_i_l_i_t_y _*_f_a_c_i_l_i_t_y)
+
+     _c_h_a_r _*
+     kkrrbb55__ggeett__eerrrr__tteexxtt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___e_r_r_o_r___c_o_d_e _c_o_d_e)
+
+DDEESSCCRRIIPPTTIIOONN
+     These functions prints a warning message to some destination.  _f_o_r_m_a_t is
+     a printf style format specifying the message to print. The forms not end-
+     ing in an ``x'' prints the error string associated with _c_o_d_e along with
+     the message.  The ``err'' functions exits with exit status _e_v_a_l after
+     printing the message.
+
+     The kkrrbb55__sseett__wwaarrnn__ffuunncc() function sets the destination for warning mes-
+     sages to the specified _f_a_c_i_l_i_t_y. Messages logged with the ``warn'' func-
+     tions have a log level of 1, while the ``err'' functions logs with level
+     0.
+
+     kkrrbb55__ggeett__eerrrr__tteexxtt() fetches the human readable strings describing the er-
+     ror-code.
+
+SSEEEE AALLSSOO
+     krb5_openlog(3)
+
+ HEIMDAL                        August 8, 1997                               1
diff --git a/kerberosV/src/lib/krb5/mcache.c b/kerberosV/src/lib/krb5/mcache.c
index 6767e4e0587..234b9ca14da 100644
--- a/kerberosV/src/lib/krb5/mcache.c
+++ b/kerberosV/src/lib/krb5/mcache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,11 +33,12 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: mcache.c,v 1.15 2002/04/18 09:40:33 joda Exp $");
+RCSID("$KTH: mcache.c,v 1.15.6.1 2004/03/06 16:57:16 lha Exp $");
 
 typedef struct krb5_mcache {
     char *name;
     unsigned int refcnt;
+    int dead;
     krb5_principal primary_principal;
     struct link {
 	krb5_creds cred;
@@ -50,7 +51,7 @@ static struct krb5_mcache *mcc_head;
 
 #define	MCACHE(X)	((krb5_mcache *)(X)->data.data)
 
-#define MISDEAD(X)	((X)->primary_principal == NULL)
+#define MISDEAD(X)	((X)->dead)
 
 #define MCC_CURSOR(C) ((struct link*)(C))
 
@@ -77,6 +78,7 @@ mcc_alloc(const char *name)
 	free(m);
 	return NULL;
     }
+    m->dead = 0;
     m->refcnt = 1;
     m->primary_principal = NULL;
     m->creds = NULL;
@@ -137,9 +139,11 @@ mcc_initialize(krb5_context context,
 	       krb5_ccache id,
 	       krb5_principal primary_principal)
 {
+    krb5_mcache *m = MCACHE(id);
+    m->dead = 0;
     return krb5_copy_principal (context,
 				primary_principal,
-				&MCACHE(id)->primary_principal);
+				&m->primary_principal);
 }
 
 static krb5_error_code
@@ -178,9 +182,12 @@ mcc_destroy(krb5_context context,
 		break;
 	    }
 	}
-	krb5_free_principal (context, m->primary_principal);
-	m->primary_principal = NULL;
-	
+	if (m->primary_principal != NULL) {
+	    krb5_free_principal (context, m->primary_principal);
+	    m->primary_principal = NULL;
+	}
+	m->dead = 1;
+
 	l = m->creds;
 	while (l != NULL) {
 	    struct link *old;
@@ -231,9 +238,8 @@ mcc_get_principal(krb5_context context,
 {
     krb5_mcache *m = MCACHE(id);
 
-    if (MISDEAD(m))
+    if (MISDEAD(m) || m->primary_principal == NULL)
 	return ENOENT;
-
     return krb5_copy_principal (context,
 				m->primary_principal,
 				principal);
diff --git a/kerberosV/src/lib/krb5/mk_safe.c b/kerberosV/src/lib/krb5/mk_safe.c
index 2301de51242..eaf41ede850 100644
--- a/kerberosV/src/lib/krb5/mk_safe.c
+++ b/kerberosV/src/lib/krb5/mk_safe.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$KTH: mk_safe.c,v 1.28 2002/09/04 16:26:05 joda Exp $");
+RCSID("$KTH: mk_safe.c,v 1.28.4.1 2004/03/07 12:46:43 lha Exp $");
 
 krb5_error_code
 krb5_mk_safe(krb5_context context,
@@ -69,7 +69,7 @@ krb5_mk_safe(krb5_context context,
 
   sec2                   = sec;
   s.safe_body.timestamp  = &sec2;
-  usec2                  = usec2;
+  usec2                  = usec;
   s.safe_body.usec       = &usec2;
   if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
       tmp_seq = auth_context->local_seqnumber;
diff --git a/kerberosV/src/lib/krb5/parse-name-test.c b/kerberosV/src/lib/krb5/parse-name-test.c
index 1f70bf61123..7b5a8a38677 100644
--- a/kerberosV/src/lib/krb5/parse-name-test.c
+++ b/kerberosV/src/lib/krb5/parse-name-test.c
@@ -32,7 +32,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: parse-name-test.c,v 1.3 2002/08/30 03:20:11 assar Exp $");
+RCSID("$KTH: parse-name-test.c,v 1.3.4.1 2004/03/22 19:27:36 joda Exp $");
 
 enum { MAX_COMPONENTS = 3 };
 
@@ -60,7 +60,7 @@ static struct testcase {
     {"/a", "/a@", "", 2, {"", "a"}, FALSE},
     {"\\@@\\@", "\\@@\\@", "@", 1, {"@"}, TRUE},
     {"a/b/c", "a/b/c@", "", 3, {"a", "b", "c"}, FALSE},
-    {NULL, NULL, "", 0, {}, FALSE}};
+    {NULL, NULL, "", 0, { NULL }, FALSE}};
 
 int
 main(int argc, char **argv)
diff --git a/kerberosV/src/lib/krb5/ticket.c b/kerberosV/src/lib/krb5/ticket.c
index ecdead19d23..208457aa6e6 100644
--- a/kerberosV/src/lib/krb5/ticket.c
+++ b/kerberosV/src/lib/krb5/ticket.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$KTH: ticket.c,v 1.5 2001/05/14 06:14:51 assar Exp $");
+RCSID("$KTH: ticket.c,v 1.5.8.1 2003/09/18 21:01:57 lha Exp $");
 
 krb5_error_code
 krb5_free_ticket(krb5_context context,
@@ -51,7 +51,10 @@ krb5_copy_ticket(krb5_context context,
 		 krb5_ticket **to)
 {
     krb5_error_code ret;
-    krb5_ticket *tmp = malloc(sizeof(*tmp));
+    krb5_ticket *tmp;
+
+    *to = NULL;
+    tmp = malloc(sizeof(*tmp));
     if(tmp == NULL) {
 	krb5_set_error_string (context, "malloc: out of memory");
 	return ENOMEM;
@@ -63,12 +66,14 @@ krb5_copy_ticket(krb5_context context,
     ret = krb5_copy_principal(context, from->client, &tmp->client);
     if(ret){
 	free_EncTicketPart(&tmp->ticket);
+	free(tmp);
 	return ret;
     }
-    ret = krb5_copy_principal(context, from->server, &(*to)->server);
+    ret = krb5_copy_principal(context, from->server, &tmp->server);
     if(ret){
 	krb5_free_principal(context, tmp->client);
 	free_EncTicketPart(&tmp->ticket);
+	free(tmp);
 	return ret;
     }
     *to = tmp;
diff --git a/kerberosV/src/lib/krb5/verify_krb5_conf.cat8 b/kerberosV/src/lib/krb5/verify_krb5_conf.cat8
new file mode 100644
index 00000000000..b9cbd32c99c
--- /dev/null
+++ b/kerberosV/src/lib/krb5/verify_krb5_conf.cat8
@@ -0,0 +1,57 @@
+
+VERIFY_KRB5_CONF(8)      UNIX System Manager's Manual      VERIFY_KRB5_CONF(8)
+
+NNAAMMEE
+     vveerriiffyy__kkrrbb55__ccoonnff - checks krb5.conf for obvious errors
+
+SSYYNNOOPPSSIISS
+     vveerriiffyy__kkrrbb55__ccoonnff _[_c_o_n_f_i_g_-_f_i_l_e_]
+
+DDEESSCCRRIIPPTTIIOONN
+     vveerriiffyy__kkrrbb55__ccoonnff reads the configuration file _k_r_b_5_._c_o_n_f, or the file giv-
+     en on the command line, and parses it, thereby verifying that the syntax
+     is not correctly wrong.
+
+     If the file is syntactically correct, vveerriiffyy__kkrrbb55__ccoonnff tries to verify
+     that the contents of the file is of relevant nature.
+
+DDIIAAGGNNOOSSTTIICCSS
+     Possible output from vveerriiffyy__kkrrbb55__ccoonnff include:
+
+     <path>: failed to parse <something> as size/time/number/boolean
+             Usually means that <something> is misspelled, or that it contains
+             weird characters. The parsing done by vveerriiffyy__kkrrbb55__ccoonnff is more
+             strict than the one performed by libkrb5, and so strings that
+             work in real life, might be reported as bad.
+
+     <path>: host not found (<hostname>)
+             Means that <path> is supposed to point to a host, but it can't be
+             recognised as one.
+
+     <path>: unknown or wrong type
+             Means that <path> is either is a string when it should be a list,
+             vice versa, or just that vveerriiffyy__kkrrbb55__ccoonnff is confused.
+
+     <path>: unknown entry
+             Means that <string> is not known by .
+
+EENNVVIIRROONNMMEENNTT
+     KRB5_CONFIG points to the configuration file to read.
+
+FFIILLEESS
+     /etc/krb5.conf  Kerberos 5 configuration file
+
+SSEEEE AALLSSOO
+     krb5.conf(5)
+
+BBUUGGSS
+     Since each application can put almost anything in the config file, it's
+     hard to come up with a water tight verification process. Most of the de-
+     fault settings are sanity checked, but this does not mean that every
+     problem is discovered, or that everything that is reported as a possible
+     problem actually is one. This tool should thus be used with some care.
+
+     It should warn about obsolete data, or bad practice, but currently
+     doesn't.
+
+ HEIMDAL                        August 30, 2001                              1
diff --git a/kerberosV/src/lib/roken/ChangeLog b/kerberosV/src/lib/roken/ChangeLog
index 971bc90c42b..3132d23ae66 100644
--- a/kerberosV/src/lib/roken/ChangeLog
+++ b/kerberosV/src/lib/roken/ChangeLog
@@ -1,5 +1,18 @@
-2003-04-22  Love  <lha@stacken.kth.se>
+2004-01-15  Love  <lha@stacken.kth.se>
+
+	* roken-common.h: 1.52: use EAI_NONAME instead of EAI_ADDRFAMILY
+	  to check for if we need EAI_ macros
+	
+	* gai_strerror.c: 1.4: correct ifdef for EAI_ADDRFAMILY
+	1.3: EAI_ADDRFAMILY and EAI_NODATA is deprecated
+	
+2003-08-29  Love  <lha@stacken.kth.se>
 
+	* ndbm_wrap.c: 1.1->1.2: patch for working with DB4 on
+	heimdal-discuss From: Luke Howard <lukeh@PADL.COM>
+	
+2003-04-22  Love  <lha@stacken.kth.se>
+	
 	* resolve.c: 1.38->1.39: copy NUL too, from janj@wenf.org via
 	openbsd
 
diff --git a/kerberosV/src/lib/roken/gai_strerror.c b/kerberosV/src/lib/roken/gai_strerror.c
index 82577eaf9eb..c2754813c65 100644
--- a/kerberosV/src/lib/roken/gai_strerror.c
+++ b/kerberosV/src/lib/roken/gai_strerror.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$KTH: gai_strerror.c,v 1.2 1999/12/03 04:10:06 assar Exp $");
+RCSID("$KTH: gai_strerror.c,v 1.2.20.1 2004/01/15 18:14:17 lha Exp $");
 #endif
 
 #include "roken.h"
@@ -43,13 +43,17 @@ static struct gai_error {
     char *str;
 } errors[] = {
 {EAI_NOERROR,		"no error"},
+#ifdef EAI_ADDRFAMILY
 {EAI_ADDRFAMILY,	"address family for nodename not supported"},
+#endif
 {EAI_AGAIN,		"temporary failure in name resolution"},
 {EAI_BADFLAGS,		"invalid value for ai_flags"},
 {EAI_FAIL,		"non-recoverable failure in name resolution"},
 {EAI_FAMILY,		"ai_family not supported"},
 {EAI_MEMORY,		"memory allocation failure"},
+#ifdef EAI_NODATA
 {EAI_NODATA,		"no address associated with nodename"},
+#endif
 {EAI_NONAME,		"nodename nor servname provided, or not known"},
 {EAI_SERVICE,		"servname not supported for ai_socktype"},
 {EAI_SOCKTYPE,		"ai_socktype not supported"},
diff --git a/kerberosV/src/lib/roken/getarg.cat3 b/kerberosV/src/lib/roken/getarg.cat3
new file mode 100644
index 00000000000..84611f04401
--- /dev/null
+++ b/kerberosV/src/lib/roken/getarg.cat3
@@ -0,0 +1,230 @@
+
+GETARG(3)                  UNIX Programmer's Manual                  GETARG(3)
+
+NNAAMMEE
+     ggeettaarrgg, aarrgg__pprriinnttuussaaggee - collect command line options
+
+SSYYNNOOPPSSIISS
+     _i_n_t
+     ggeettaarrgg(_s_t_r_u_c_t _g_e_t_a_r_g_s _*_a_r_g_s, _s_i_z_e___t _n_u_m___a_r_g_s, _i_n_t _a_r_g_c, _c_h_a_r _*_*_a_r_g_v,
+             _i_n_t _*_o_p_t_i_n_d)
+
+     _v_o_i_d
+     aarrgg__pprriinnttuussaaggee(_s_t_r_u_c_t _g_e_t_a_r_g_s _*_a_r_g_s, _s_i_z_e___t _n_u_m___a_r_g_s,
+             _c_o_n_s_t _c_h_a_r _*_p_r_o_g_n_a_m_e, _c_o_n_s_t _c_h_a_r _*_e_x_t_r_a___s_t_r_i_n_g)
+
+DDEESSCCRRIIPPTTIIOONN
+     ggeettaarrgg() collects any command line options given to a program in an easi-
+     ly used way.  aarrgg__pprriinnttuussaaggee() pretty-prints the available options, with
+     a short help text.
+
+     _a_r_g_s is the option specification to use, and it's an array of _s_t_r_u_c_t
+     _g_e_t_a_r_g_s elements.  _n_u_m___a_r_g_s is the size of _a_r_g_s (in elements).  _a_r_g_c and
+     _a_r_g_v are the argument count and argument vector to extract option from.
+     _o_p_t_i_n_d is a pointer to an integer where the index to the last processed
+     argument is stored, it must be initialised to the first index (minus one)
+     to process (normally 0) before the first call.
+
+     _a_r_g___p_r_i_n_t_u_s_a_g_e take the same _a_r_g_s and _n_u_m___a_r_g_s as getarg; _p_r_o_g_n_a_m_e is the
+     name of the program (to be used in the help text), and _e_x_t_r_a___s_t_r_i_n_g is a
+     string to print after the actual options to indicate more arguments. The
+     usefulness of this function is realised only be people who has used pro-
+     grams that has help strings that doesn't match what the code does.
+
+     The _g_e_t_a_r_g_s struct has the following elements.
+
+     struct getargs{
+         const char *long_name;
+         char short_name;
+         enum { arg_integer,
+                arg_string,
+                arg_flag,
+                arg_negative_flag,
+                arg_strings,
+                arg_double,
+                arg_collect
+         } type;
+         void *value;
+         const char *help;
+         const char *arg_help;
+     };
+
+     _l_o_n_g___n_a_m_e is the long name of the option, it can be NULL, if you don't
+     want a long name.  _s_h_o_r_t___n_a_m_e is the characted to use as short option, it
+     can be zero. If the option has a value the _v_a_l_u_e field gets filled in
+     with that value interpreted as specified by the _t_y_p_e field.  _h_e_l_p is a
+     longer help string for the option as a whole, if it's NULL the help text
+     for the option is omitted (but it's still displayed in the synopsis).
+     _a_r_g___h_e_l_p is a description of the argument, if NULL a default value will
+     be used, depending on the type of the option:
+
+     arg_integer        the argument is a signed integer, and _v_a_l_u_e should
+                        point to an _i_n_t.
+
+     _a_r_g___s_t_r_i_n_g         the argument is a string, and _v_a_l_u_e should point to a
+
+                        _c_h_a_r_*.
+
+     _a_r_g___f_l_a_g           the argument is a flag, and _v_a_l_u_e should point to a
+                        _i_n_t. It gets filled in with either zero or one, de-
+                        pending on how the option is given, the normal case
+                        being one. Note that if the option isn't given, the
+                        value isn't altered, so it should be initialised to
+                        some useful default.
+
+     _a_r_g___n_e_g_a_t_i_v_e___f_l_a_g this is the same as _a_r_g___f_l_a_g but it reverses the mean-
+                        ing of the flag (a given short option clears the
+                        flag), and the synopsis of a long option is negated.
+
+     _a_r_g___s_t_r_i_n_g_s        the argument can be given multiple times, and the val-
+                        ues are collected in an array; _v_a_l_u_e should be a
+                        pointer to a _s_t_r_u_c_t _g_e_t_a_r_g___s_t_r_i_n_g_s structure, which
+                        holds a length and a string pointer.
+
+     _a_r_g___d_o_u_b_l_e         argument is a double precision floating point value,
+                        and _v_a_l_u_e should point to a _d_o_u_b_l_e.
+
+     _a_r_g___c_o_l_l_e_c_t        allows more fine-grained control of the option parsing
+                        process.  _v_a_l_u_e should be a pointer to a
+                        _g_e_t_a_r_g___c_o_l_l_e_c_t___i_n_f_o structure:
+
+                        typedef int (*getarg_collect_func)(int short_opt,
+                                                           int argc,
+                                                           char **argv,
+                                                           int *optind,
+                                                           int *optarg,
+                                                           void *data);
+
+                        typedef struct getarg_collect_info {
+                            getarg_collect_func func;
+                            void *data;
+                        } getarg_collect_info;
+
+                        With the _f_u_n_c member set to a function to call, and
+                        _d_a_t_a to some application specific data. The parameters
+                        to the collect function are:
+
+                        _s_h_o_r_t___f_l_a_g non-zero if this call is via a short option
+                        flag, zero otherwise
+
+                        _a_r_g_c, _a_r_g_v the whole argument list
+
+                        _o_p_t_i_n_d pointer to the index in argv where the flag is
+
+                        _o_p_t_a_r_g pointer to the index in argv[*optind] where the
+                        flag name starts
+
+                        _d_a_t_a application specific data
+
+                        You can modify _*_o_p_t_i_n_d, and _*_o_p_t_a_r_g, but to do this
+                        correct you (more or less) have to know about the in-
+                        ner workings of getarg.
+
+                        You can skip parts of arguments by increasing _*_o_p_t_a_r_g
+                        (you could implement the --zz_3 set of flags from ggzziipp
+                        with this), or whole argument strings by increasing
+                        _*_o_p_t_i_n_d (let's say you want a flag --cc _x _y _z to specify
+                        a coordinate); if you also have to set _*_o_p_t_a_r_g to a
+                        sane value.
+
+                        The collect function should return one of
+                        ARG_ERR_NO_MATCH, ARG_ERR_BAD_ARG, ARG_ERR_NO_ARG on
+                        error, zero otherwise.
+
+                        For your convenience there is a function,
+                        ggeettaarrgg__ooppttaarrgg(), that returns the traditional argument
+                        string, and you pass it all arguments, sans data, that
+                        where given to the collection function.
+
+                        Don't use this more this unless you absolutely have
+                        to.
+
+     Option parsing is similar to what getopt uses. Short options without ar-
+     guments can be compressed (--xxyyzz is the same as --xx --yy --zz), and short op-
+     tions with arguments take these as either the rest of the argv-string or
+     as the next option (--oo_f_o_o, or --oo _f_o_o).
+
+     Long option names are prefixed with -- (double dash), and the value with
+     a = (equal), ----ffoooo==_b_a_r. Long option flags can either be specified as they
+     are (----hheellpp), or with an (boolean parsable) option (----hheellpp==_y_e_s,
+     ----hheellpp==_t_r_u_e, or similar), or they can also be negated (----nnoo--hheellpp is the
+     same as ----hheellpp==no), and if you're really confused you can do it multiple
+     times (----nnoo--nnoo--hheellpp==_f_a_l_s_e, or even ----nnoo--nnoo--hheellpp==_m_a_y_b_e).
+
+EEXXAAMMPPLLEE
+     #include <stdio.h>
+     #include <string.h>
+     #include <getarg.h>
+
+     char *source = "Ouagadougou";
+     char *destination;
+     int weight;
+     int include_catalog = 1;
+     int help_flag;
+
+     struct getargs args[] = {
+         { "source",      's', arg_string,  &source,
+           "source of shippment", "city" },
+         { "destination", 'd', arg_string,  &destination,
+           "destination of shippment", "city" },
+         { "weight",      'w', arg_integer, &weight,
+           "weight of shippment", "tons" },
+         { "catalog",     'c', arg_negative_flag, &include_catalog,
+           "include product catalog" },
+         { "help",        'h', arg_flag, &help_flag }
+     };
+
+     int num_args = sizeof(args) / sizeof(args[0]); /* number of elements in args */
+
+     const char *progname = "ship++";
+
+     int
+     main(int argc, char **argv)
+     {
+         int optind = 0;
+         if (getarg(args, num_args, argc, argv, &optind)) {
+             arg_printusage(args, num_args, progname, "stuff...");
+             exit (1);
+         }
+         if (help_flag) {
+             arg_printusage(args, num_args, progname, "stuff...");
+             exit (0);
+         }
+         if (destination == NULL) {
+             fprintf(stderr, "%s: must specify destination\n", progname);
+             exit(1);
+         }
+         if (strcmp(source, destination) == 0) {
+             fprintf(stderr, "%s: destination must be different from source\n");
+             exit(1);
+         }
+         /* include more stuff here ... */
+         exit(2);
+     }
+
+     The output help output from this program looks like this:
+
+     $ ship++ --help
+     Usage: ship++ [--source=city] [-s city] [--destination=city] [-d city]
+        [--weight=tons] [-w tons] [--no-catalog] [-c] [--help] [-h] stuff...
+     -s city, --source=city      source of shippment
+     -d city, --destination=city destination of shippment
+     -w tons, --weight=tons      weight of shippment
+     -c, --no-catalog            include product catalog
+
+BBUUGGSS
+     It should be more flexible, so it would be possible to use other more
+     complicated option syntaxes, such as what ps(1),  and tar(1),  uses, or
+     the AFS model where you can skip the flag names as long as the options
+     come in the correct order.
+
+     Options with multiple arguments should be handled better.
+
+     Should be integreated with SL.
+
+     It's very confusing that the struct you pass in is called getargS.
+
+SSEEEE AALLSSOO
+     getopt(3)
+
+ ROKEN                        September 24, 1999                             4
diff --git a/kerberosV/src/lib/roken/roken-common.h b/kerberosV/src/lib/roken/roken-common.h
index 593d2591e95..0cdd5d9d2d4 100644
--- a/kerberosV/src/lib/roken/roken-common.h
+++ b/kerberosV/src/lib/roken/roken-common.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  */
 
-/* $KTH: roken-common.h,v 1.51 2002/09/09 13:41:12 joda Exp $ */
+/* $KTH: roken-common.h,v 1.51.6.1 2004/01/15 18:15:05 lha Exp $ */
 
 #ifndef __ROKEN_COMMON_H__
 #define __ROKEN_COMMON_H__
@@ -172,7 +172,7 @@
 #define EAI_NOERROR	0	/* no error */
 #endif
 
-#ifndef EAI_ADDRFAMILY
+#ifndef EAI_NONAME
 
 #define EAI_ADDRFAMILY	1	/* address family for nodename not supported */
 #define EAI_AGAIN	2	/* temporary failure in name resolution */
@@ -186,7 +186,7 @@
 #define EAI_SOCKTYPE   10	/* ai_socktype not supported */
 #define EAI_SYSTEM     11	/* system error returned in errno */
 
-#endif /* EAI_ADDRFAMILY */
+#endif /* EAI_NONAME */
 
 /* flags for getaddrinfo() */